Cyber training is even more important with a remote workforce
Written by Oliver Pinson-Roxburgh on 17/07/2020
Staff are your first line of defence
Working remotely has its own personal challenges in terms of productivity: between the cat walking across your keyboard and the kids dropping in on your Zoom meetings, workers across the globe have had to adjust to doing their job in a different way.
Organisations also had to swiftly transition to employees working remotely, and this has introduced a new set of risks from a cyber security perspective. From personal devices being used to connect to the corporate network (as many as 61% of employees, according to a survey conducted by Promon), down to the deployment of patches through the limited bandwidth of VPNs, IT and security teams have certainly had their hands full trying to adapt their processes to a sometimes completely untested ground.
To make matters worse, cybercriminals have been taking advantage of people’s fears to launch themed attacks, carefully engineered to exploit the fear and the understandable thirst for information that the public has in a time of uncertainty. From phishing emails purporting to be from institutions such as the World Health Organisation, to ransomware attacks delivered through apps purporting to provide genuine information on COVID-19, threat actors are exploiting this global crisis to make a profit.
In light of these new threats, one component of organisations’ IT security strategy has become even more crucial: cyber security training. Often, simple human error is all that sits between a hacker and access to the corporate network. This makes bolstering defences at the user level particularly important in the era of remote working, as personal devices offer hackers even more opportunities to attack.
But not all training programmes are created equal, and not all are easily deployable to a remote workforce. Here are a few tips for organisations looking to harden their security posture through security awareness training.
Flexible, cost-effective and scalable: e-learning
Particularly useful with a remote workforce, e-learning is not only scalable and easily deployed to the entire organisation, but it also produces better learning outcomes. Studies have shown that employees take between 40% and 60% less time to learn the same material when following a course online, as compared to the time it would take them to learn it in a classroom setting. With online programmes, employees are able to fit training sessions around their day and proceed at their own pace, without interrupting their workflow.
In fact, after deploying an e-learning programme with its employees IBM found that without increasing the time spent on the training, employees were learning as much as five times more material than they did when following the same course delivered in a classroom or with physical manuals.
Online learning is also a good way to monitor what stage of the training employees are at and allow organisations to follow up with workers that are behind with their assigned learning objectives.
Security training shouldn’t be a tickbox exercise
Each training solution has its merit, but there is one thing that will significantly improve the efficacy of any chosen programme: frequency.
Unfortunately, many organisations approach cyber security awareness training as an item to tick off their compliance list, and limit themselves to a single, class-room based session. Worse, some provide employees with a print-out of the best practices to follow, a list of potentially harmful websites, and nothing more. In fact, as of 2018, of the 45% of organisations that were providing formal security training, only 10% were doing so monthly or quarterly, and 9% were only training employees as they joined the company.
Whilst it is impossible to reduce the risk of a human error causing a security compromise down to zero, repeating awareness training can certainly reinforce the message. By holding regular training sessions, organisations can also better prepare employees for the latest threats and newly discovered malicious campaigns.
Is it specific to the nature of the organisation?
Training programmes are most effective when targeted to the specific sector or, better, the specific organisation, they are aimed at.
One thing that we found to be particularly effective is to show employees what a hacker would see, effectively asking them to put themselves into the shoes of an attacker to anticipate their moves and to act with the risks in mind. By learning to think like a hacker, users will be able to recognise specific instances that require them to proceed with caution, but they will also learn how to think with security in mind in a broader sense and apply cyber hygiene best practices to all operations.
Is it skill specific?
It should go without saying that cyber security training needs to be skill specific. Naturally, assigning the IT team a multiple-choice quiz on how to spot a phishing email is likely to leave these technical and tech-savvy employees bored, if not annoyed. Similarly, overly specific and jargon ridden exercises are likely to alienate less tech-minded individuals.
Rather, exercises should be appropriate to the level of knowledge of the employees they are aimed for, ensuring that they are the right amount of challenging, easy to follow and – most of all – memorable. Naturally, all employees should still complete a training programme that includes all the essentials, with modules adapted to their technical level. In addition, training should be aligned to the way that each particular employee group absorbs information. For example, techies love to get hands-on, and training that isn't suited to their learning methodology can lead to boredom and frustration.
Invest in training while your employees are working from home
Making an investment in cyber security may seem inconvenient, given how the world’s economy is slowing down and budgets are harder to obtain – even more so for something traditionally hard to measure in terms of return on investment. However, the heightened risk of a security compromise means that all organisations, even those who have run cyber security awareness training programmes in the past, should consider hardening their defences at the user level.
Cyber criminals have already made it clear that the lockdown not only hasn’t affected their operations, but has opened up a window of opportunity they are not going to waste. As organisations’ defences are put to the test by a new mode of working, cyber security awareness training is perhaps the simplest, most scalable and easiest to tailor solution that can be deployed to bolster their security posture.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.