Cyber training is even more important with a remote workforce

Written by Oliver Pinson-Roxburgh on 17/07/2020

Staff are your first line of defence

Working remotely has its own personal challenges in terms of productivity: between the cat walking across your keyboard and the kids dropping in on your Zoom meetings, workers across the globe have had to adjust to doing their job in a different way.

Organisations also had to swiftly transition to employees working remotely, and this has introduced a new set of risks from a cyber security perspective. From personal devices being used to connect to the corporate network (as many as 61% of employees, according to a survey conducted by Promon), down to the deployment of patches through the limited bandwidth of VPNs, IT and security teams have certainly had their hands full trying to adapt their processes to a sometimes completely untested ground.

To make matters worse, cybercriminals have been taking advantage of people’s fears to launch themed attacks, carefully engineered to exploit the fear and the understandable thirst for information that the public has in a time of uncertainty. From phishing emails purporting to be from institutions such as the World Health Organisation, to ransomware attacks delivered through apps purporting to provide genuine information on COVID-19, threat actors are exploiting this global crisis to make a profit.

First line

In light of these new threats, one component of organisations’ IT security strategy has become even more crucial: cyber security training. Often, simple human error is all that sits between a hacker and access to the corporate network. This makes bolstering defences at the user level particularly important in the era of remote working, as personal devices offer hackers even more opportunities to attack.

But not all training programmes are created equal, and not all are easily deployable to a remote workforce. Here are a few tips for organisations looking to harden their security posture through security awareness training.

Cybercriminals have been taking advantage of people’s fears to launch themed attacks

Flexible, cost-effective and scalable: e-learning

Particularly useful with a remote workforce, e-learning is not only scalable and easily deployed to the entire organisation, but it also produces better learning outcomes. Studies have shown that employees take between 40% and 60% less time to learn the same material when following a course online, as compared to the time it would take them to learn it in a classroom setting. With online programmes, employees are able to fit training sessions around their day and proceed at their own pace, without interrupting their workflow.

In fact, after deploying an e-learning programme with its employees IBM found that without increasing the time spent on the training, employees were learning as much as five times more material than they did when following the same course delivered in a classroom or with physical manuals.

E-Learning

Online learning is also a good way to monitor what stage of the training employees are at and allow organisations to follow up with workers that are behind with their assigned learning objectives.


Security training shouldn’t be a tickbox exercise

Each training solution has its merit, but there is one thing that will significantly improve the efficacy of any chosen programme: frequency.

Unfortunately, many organisations approach cyber security awareness training as an item to tick off their compliance list, and limit themselves to a single, class-room based session. Worse, some provide employees with a print-out of the best practices to follow, a list of potentially harmful websites, and nothing more. In fact, as of 2018, of the 45% of organisations that were providing formal security training, only 10% were doing so monthly or quarterly, and 9% were only training employees as they joined the company.

Training

Whilst it is impossible to reduce the risk of a human error causing a security compromise down to zero, repeating awareness training can certainly reinforce the message. By holding regular training sessions, organisations can also better prepare employees for the latest threats and newly discovered malicious campaigns.

By holding regular training sessions, organisations can also better prepare employees for the latest threats

Is it specific to the nature of the organisation?

Training programmes are most effective when targeted to the specific sector or, better, the specific organisation, they are aimed at.

One thing that we found to be particularly effective is to show employees what a hacker would see, effectively asking them to put themselves into the shoes of an attacker to anticipate their moves and to act with the risks in mind. By learning to think like a hacker, users will be able to recognise specific instances that require them to proceed with caution, but they will also learn how to think with security in mind in a broader sense and apply cyber hygiene best practices to all operations.

Skill Specific

Is it skill specific?

It should go without saying that cyber security training needs to be skill specific. Naturally, assigning the IT team a multiple-choice quiz on how to spot a phishing email is likely to leave these technical and tech-savvy employees bored, if not annoyed. Similarly, overly specific and jargon ridden exercises are likely to alienate less tech-minded individuals.

Rather, exercises should be appropriate to the level of knowledge of the employees they are aimed for, ensuring that they are the right amount of challenging, easy to follow and – most of all – memorable. Naturally, all employees should still complete a training programme that includes all the essentials, with modules adapted to their technical level. In addition, training should be aligned to the way that each particular employee group absorbs information. For example, techies love to get hands-on, and training that isn't suited to their learning methodology can lead to boredom and frustration.

By holding regular training sessions, organisations can also better prepare employees for the latest threats

Invest in training while your employees are working from home

Making an investment in cyber security may seem inconvenient, given how the world’s economy is slowing down and budgets are harder to obtain – even more so for something traditionally hard to measure in terms of return on investment. However, the heightened risk of a security compromise means that all organisations, even those who have run cyber security awareness training programmes in the past, should consider hardening their defences at the user level.

Cyber criminals have already made it clear that the lockdown not only hasn’t affected their operations, but has opened up a window of opportunity they are not going to waste. As organisations’ defences are put to the test by a new mode of working, cyber security awareness training is perhaps the simplest, most scalable and easiest to tailor solution that can be deployed to bolster their security posture.


Summary card header

In summary

Investing in cyber security training is more important now than ever, so make sure that the cyber security training you procure is:

  • Flexible to deploy
  • Not a tickbox exercise
  • Skill specific
  • Relevant to the nature of your organisation

By following these simple steps, you’ll take great strides to avoid data breaches and keep hackers out of your corporate infrastructure.



Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.