I’ve read what seems like a million articles on how to make security awareness training more effective for remote workers. And honestly, they all seem to say the same thing. Teach employees the basics and give them a list of things they should do to keep your data safe. Almost every article includes the same tips. They say ‘don’t click on unknown links, use strong passwords, don’t access work data over public wireless, always install updates and more.

But if what we’re preaching was really working, we wouldn’t have to keep saying it. Since cyberattacks are still happening, that’s clearly not the case. Now, things are about to shift again. Many employees are moving over the next few months to hybrid work instead of being fully remote. That means new, possibly bad, habits.

We Need New Security Awareness Training 

A recent survey by Tessian found 56% of IT leaders believe employees have picked up bad cybersecurity habits since working from home. They say one in three employees think they can get away with riskier behavior when working remotely.

After hours of thought and research, along with having written many articles on this topic myself, I decided that the problem with employees and security awareness training goes deeper than a list of seemingly simple actions.

I came to three conclusions about what we, as a business and cybersecurity community, need to do to actually change things for the positive. They’re different from what you may find elsewhere. And each one is bigger than just one company; they mark a major shift in how we view cybersecurity awareness training and work in general.

Work-Life Boundaries

 First, we need clear boundaries between work and personal life.

Remote work is here to stay, at least to some degree. That makes us flexible to blend our personal and work lives in positive ways. However, it also means we each have to draw our personal line in the sand. As someone who has worked from home for 13 years, I’ve struggled finding the perfect balance.

This struggle bleeds into cybersecurity as an issue security awareness training often can’t solve. Remote workers often feel a constant need to both work and live our personal lives. This leads to people checking work emails over public wireless, using personal devices for sensitive data and countless other poor practices. Multiplied over every employee, this adds up to a substantial risk for companies. A lot of these risks happen because employees feel like they need to be always on and always up for working.

So, the key is to push back and draw our lines better. This only happens if companies stop expecting employees to be able to work at any time. Of course, there are times when personal needs and work have to blend. But those times need to be the exception, not the expectation. When approached in that manner, I think it becomes easier to follow security awareness training on those rare exceptions because it doesn’t happen that often. Even if people don’t remember their training every time, the risk goes down for companies simply by reducing the volume of exceptions.

Security Awareness Training for Everyone

Next, every single person, remote workers included, must feel they have an important role to play in keeping digital assets safe. 

It’s easy to view IT as someone else’s issue. After all, we have whole industries, departments and careers devoted to it. But really, every person is in charge of their own cybersecurity, both personally and at work. We must take responsibility for our actions and feel that we are in charge of keeping infrastructure and data safe. This is 100 times truer for those of us working remotely, since we are actually the cybersecurity expert for our home offices.

When people feel like what they do can change things, they are more likely to follow through. No, this isn’t going to be an overnight change. And I fully admit that I don’t have all the answers on how we get there. But we all need to agree and work to that end. I think only then will people almost always follow security training awareness basics. It’s not going to be the 101st article on strong passwords that is the light bulb moment. Instead, the key is to really know that your actions matter.

The Right Tools for the Job 

Lastly, remote workers need access to easy-to-use tools. All the security awareness training in the world won’t matter if what people are trained to do is cumbersome or confusing.

This one is simple and easier to achieve. Remote workers need to have exactly what they need to keep their home offices and devices secure, both in terms of technology and information. We shouldn’t have to figure it out ourselves or piece it together with toothpicks and scotch tape. Employers should provide an easy-to-use checklist with links to tools to use and step-by-step instructions.

Remote workers need to know exactly who to call with cybersecurity questions. I see a new role ahead: cybersecurity remote worker liaison, or something of that sort, whose job it is to truly help everyone working hybrid and remote set up a secure environment where they can also be most productive. And no, this doesn’t contradict my previous point. This person won’t be in charge of our cybersecurity; they’ll be our coach and resident expert to help us develop a secure environment wherever it is that we are working.

Security Awareness Training in the New World

The world is in transition, which makes it the perfect time to change our views and processes for security awareness training. Remote work will be a lasting impact of the pandemic. And we have to shift our beliefs, actions and processes to match the post-pandemic reality of cybersecurity.

More from Cloud Security

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…

How to Implement Cloud Identity and Access Governance

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult. In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows. As we continue our CIAG…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…