How To Train Remote-Working Employees On Cybersecurity

Last year, the world experienced huge challenges created by the pandemic. Not only were we living in a state of uncertainty, but most of the workforce was also suddenly working from home offices and using their personal internet connections. Where once IT professionals could walk down a hallway to address technology issues, they now have to use remote access and attempt to talk staff through better computer safety practices.

Cybercriminals saw this tear in the fabric of cybersecurity networks and changed tactics by targeting employees who work from home. I’ve designed websites for virtually my entire life, so I knew to expect chaos when the coronavirus hit. True to form, more than 40% of businesses had at least one cyberattack related to the pandemic in 2020, according to a Tenable report (via TechRepublic). Small businesses and governments were hit especially hard as IT professionals experienced access inefficiencies, VPN vulnerabilities and staff shortages.

It became apparent that implementing or retraining employees on cybersecurity was necessary. But prioritizing cybersecurity can be difficult. Many business leaders see it as a drain on critical resources, a luxury afforded by only those with significant assets to protect. They do not realize the variety of ways someone can lose their life savings, intellectual property and more — without ever divulging a password, no less.

In today’s world, businesses simply can’t afford to forgo cybersecurity awareness training. It’s a potentially catastrophic mistake.

Cybersecurity Policies In The Age Of Remote Work

Remote work has been on the rise for years, but the global Covid-19 pandemic catapulted this practice into the next era. While working from home yields many benefits, it comes with substantial drawbacks as well. In a home office, employees use home internet connections rather than the securer ones that IT professionals install in the office. Less secure home networks open up every device in an employee’s house to become a target for corporate espionage.

And with almost half of employees lacking regular cybersecurity training, smaller businesses are at extra risk. The effects of a cyberattack can be more devastating for them. Do you have an expensive PR company to handle the fallout of a data breach and subsequent media coverage? Do you have lines of credit to survive extended downtime while forensic teams determine what sensitive financial data was stolen from your business? A data breach can instantly bring the wheels to a grinding halt for a startup, which can be a life-or-death moment for the company.

Sometimes all it takes is a single employee falling for a phishing scam for an entire organization’s data to be hacked, encrypted and held hostage by cybercriminals. Let’s say an employee receives an email that appears to have been sent from an executive. The request is for the employee to send an Amazon gift card to a random email address as payment for services. If the employee follows these instructions, suddenly the hacker gains access to — and then holds for ransom — the company’s valuable data.

Public and private sectors have spent hundreds of millions of dollars since the pandemic broke on dealing — proactively and retroactively — with ransomware vulnerabilities. An alert and trained employee protects the company when they understand and can, therefore, avoid current cyber threats.

Effectively Training Employees

Education is key to ensuring that organizations — and small businesses in particular — are protected from cyberattacks. Here are four ways to more effectively train employees on cybersecurity awareness:

1. Take A Piecemeal Approach To Education

Recently, I helped a client complete a self-assessment questionnaire for credit card compliance. The questionnaire was no fewer than 268 questions, a majority of which were unnecessary and irrelevant to my client. It was so difficult that I can completely understand how most people would rush through it, missing pertinent questions.

Security training should be delivered in smaller bites, should be relevant to the person in training and should contain language that is easy to understand. These steps are crucial because even among tech employees, nearly half surveyed say they’ve succumbed to a phishing email while working, according to a Tessian study (via TechRepublic).

2. Keep Risk To A Minimum: Don’t Store Sensitive Data

The more sensitive data a business acquires, the more it is a target. Sensitive data includes not just credit card data but any unique user data. If a company can avoid storing sensitive data or letting someone else store the data instead, they should. At the very least, organizations should restrict who has access to extremely sensitive information.

The old adage “an ounce of prevention is worth a pound of cure” is very apt in this scenario. Restricting and removing sensitive data is an important part of an effective, comprehensive cybersecurity strategy.

3. Assume A “Zero Trust” Policy

No device or person in an organization should be trusted more than another. Such a zero-trust policy removes many interpersonal tensions and issues — and many security risks. For example, a CEO needs a secure password like everyone else. Nobody should be allowed to break protocol just because they hold an executive title.

Instead, an organization should hold everyone to the same standard for learning and adopting cybersecurity protocols.

4. Consider Gamifying Training

Use gamification in your training to engage your employees and make it easier to understand and retain important information. One company, RangeForce, offers a web-based solution where employees go on missions to hack into an organization and learn about cybersecurity threats. This engaging learning environment has proven to be extremely effective.

Companies, especially small businesses and public entities, should prioritize cybersecurity training. Even small actions taken toward more awareness and training create lasting and impactful measures on cybersecurity.

Preventing and quickly responding to cyberattacks is a must for organizations — before the pandemic and especially now in its aftermath. The cost is too high to do otherwise