8 tips for jumpstarting your employee cybersecurity awareness program

The famous businessman David Ogilvy said, "The assets go up and down our elevator every day. Companies that forget the value of talented employees will not long survive."

Decades later, enterprise leaders are well aware their people are their most valuable resource. But when it comes to cyber security, your people are also your greatest risk: Almost 90%¹ of cyber attacks are caused by human error.

So invest in your assets by providing ongoing cybersecurity awareness training, especially if your team members work remotely some or all of the time. It’s well reported that the shift to hybrid work has amplified cyber threats, and while your employees can be security risks, they can also become your strongest defense.

The heightened security woes of a hybrid workplace
The FBI’s Cyber Division reported a 300% jump in daily cybersecurity complaints early in the pandemic, saying the "rapid shift to telework" increased vulnerabilities for hackers to exploit.² At the same time, cyberattacks aimed at remote workers soared 23%.³ What is it about remote work that makes our networks so vulnerable?

• Increased use of cloud services and remote connectivity tools. Hybrid workplaces rely on the cloud, Unified Communications, collaboration apps and remote connectivity like VPN. So it’s not surprising cyberattacks on cloud services have shot up more than 600%.⁴ Even more frightening, there were 377.5 million brute-force attacks against remote access protocols in February 2021—up from 93.1 million the year before.⁵
• Weak or no security. Most people don’t have private internet access at home and may send sensitive data over the public internet. Chances are, they don’t have a firewall and their WiFi security isn’t as strong as it is at your location. And when they’re away from corporate settings, they’re more likely to use unapproved software and "shadow IT."
• Missed and delayed patches. At home, people often work on their personal computer instead of one that’s company provisioned with the latest security patches. Even on a company device, automatic updates may lag, depending on their home’s bandwidth.
• Rogue uses and users. Many remote workers don’t think twice about letting others use their company computer and may even use it for non-work-related activities, which limits your ability to control and monitor security practices.

IT leaders are on alert
As businesses settle into new hybrid environments, IT pros are rightly on edge. You’re losing your perimeter security and their assets are exposed to both well-meaning but vulnerable employees and the world’s bad actors.

• 90% believe remote workers pose a security risk⁶
• 56% think their employees picked up bad cybersecurity habits while working from home⁷
• 69% worry ransomware will be a bigger issue in a hybrid environment⁷
• 54% think employees will bring infected devices and malware into the office⁷
• 25%+ of employees say they accidentally compromised company security while working from home 7 and only 50% told IT about the incident⁷

With 82% of company leaders planning to allow remote work at least some of the time, it’s critical to get serious about security training for your people, wherever they work.

8 tips for employee cybersecurity awareness
Many successful cyberattacks could have been avoided if people had recognized fake email addresses, domains, company branding and even two-factor authentication processes. Today’s cybercriminals know how to target individuals in your company to break into your network. So provide self-defense training for your employees.

• Start with the basics. Teach people how to spot phishing, malware and social engineering threats. Explain how to update passwords, not use the same ones across accounts and create hard-to-hack combinations of numbers, letters and symbols. Drive home the "why" with examples of the potential financial, business and reputation impacts of an attack.
• Teach people to fish (not phish). Like the saying about teaching a person to fish, the best way to build a security-savvy workforce is to provide the education and tools to recognize risks and make smart decisions on their own, wherever they are.
• Keep it going from the get-go. Cybercriminals are like the Energizer bunnies of sneaky attacks. They develop new methods all the time and your defenses and training need to adapt along with them. Sessions need to be ongoing, weekly or monthly, from the day of hire onward, as part of your onboarding.
• Create a culture of no blame, no shame. We’re all human and we all make mistakes. When someone does, you need to find out right away to mitigate any damage. So set a precedent of never blaming or shaming for clicking a risky link or opening a bad attachment. Instead, communicate that it’s up to your company to build security systems and training processes to prevent accidental breaches. Be willing to admit your mistakes to show vulnerability and help people feel safe letting you know what they did versus quietly allowing it to escalate.
• Keep cybersecurity top of mind. Sure, security is on your mind all the time, but it might not be on everyone’s radar. Share news stories and statistics frequently to keep best practices top of mind.
• Make it easier. Changing passwords and creating ever-more-complicated combinations of letters, numbers and symbols is a pain. Locking your computer every time you walk away is an inconvenience. Two-factor authentication is a nuisance. So do what you can to make it easier so people don’t look for workarounds. For example, consider using a password manager to take the strain out of creating and remembering passwords.
• Create cybersecurity guidelines. Document your training and policies with diagrams and visual instructions. Keep this central security resource updated and accessible so people can refer to it anytime.
• Hold fire drills. Give people the opportunity to use and internalize their cybersecurity skills through regular "practice attacks." You can make it fun with quizzes, competitions and games. You’ll quickly spot the holes in your armor. And your employees will build "muscle memory," making the precautions second nature.
  
  

Strengthen your IT resources
Even with thorough, ongoing employee education, your people and legacy security systems will be challenged by the skilled expertise of motivated cyber criminals. Stay vigilant about evaluating, testing and strengthening your defenses for the hybrid work environment. And consider reinforcing your protections with a Managed Firewall solution. You’ll get a dedicated, expert partner to help you continually assess and secure your network, from end to end, headquarters to homes.

¹https://chiefexecutive.net/almost-90-cyber-attacks-caused-human-error-behavior/
²https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic
³https://www.prnewswire.com/news-releases/isc-survey-finds-cybersecurity-professionals-being-repurposed-during-covid-19-pandemic-301048308.html
⁴https://www.helpnetsecurity.com/2020/05/28/external-attacks-on-cloud-accounts/
⁵https://www.globalsecuritymag.com/The-pandemic-effect-Attacks,20210324,109665.html
⁶https://openvpn.net/remote-workforce-cybersecurity-quick-poll/
⁷https://www.forbes.com/sites/edwardsegal/2021/06/15/how-cybersecurity-habits-of-returning-remote-workers-can-put-companies-at-risk/?sh=250c7ba52be2