I’ve read what seems like a million articles on how to make security awareness training more effective for remote workers. And honestly, they all seem to say the same thing. Teach employees the basics and give them a list of things they should do to keep your data safe. Almost every article includes the same tips. They say ‘don’t click on unknown links, use strong passwords, don’t access work data over public wireless, always install updates and more.
But if what we’re preaching was really working, we wouldn’t have to keep saying it. Since cyberattacks are still happening, that’s clearly not the case. Now, things are about to shift again. Many employees are moving over the next few months to hybrid work instead of being fully remote. That means new, possibly bad, habits.
We Need New Security Awareness Training
A recent survey by Tessian found 56% of IT leaders believe employees have picked up bad cybersecurity habits since working from home. They say one in three employees think they can get away with riskier behavior when working remotely.
After hours of thought and research, along with having written many articles on this topic myself, I decided that the problem with employees and security awareness training goes deeper than a list of seemingly simple actions.
I came to three conclusions about what we, as a business and cybersecurity community, need to do to actually change things for the positive. They’re different from what you may find elsewhere. And each one is bigger than just one company; they mark a major shift in how we view cybersecurity awareness training and work in general.
First, we need clear boundaries between work and personal life.
Remote work is here to stay, at least to some degree. That makes us flexible to blend our personal and work lives in positive ways. However, it also means we each have to draw our personal line in the sand. As someone who has worked from home for 13 years, I’ve struggled finding the perfect balance.
This struggle bleeds into cybersecurity as an issue security awareness training often can’t solve. Remote workers often feel a constant need to both work and live our personal lives. This leads to people checking work emails over public wireless, using personal devices for sensitive data and countless other poor practices. Multiplied over every employee, this adds up to a substantial risk for companies. A lot of these risks happen because employees feel like they need to be always on and always up for working.
So, the key is to push back and draw our lines better. This only happens if companies stop expecting employees to be able to work at any time. Of course, there are times when personal needs and work have to blend. But those times need to be the exception, not the expectation. When approached in that manner, I think it becomes easier to follow security awareness training on those rare exceptions because it doesn’t happen that often. Even if people don’t remember their training every time, the risk goes down for companies simply by reducing the volume of exceptions.
Security Awareness Training for Everyone
Next, every single person, remote workers included, must feel they have an important role to play in keeping digital assets safe.
It’s easy to view IT as someone else’s issue. After all, we have whole industries, departments and careers devoted to it. But really, every person is in charge of their own cybersecurity, both personally and at work. We must take responsibility for our actions and feel that we are in charge of keeping infrastructure and data safe. This is 100 times truer for those of us working remotely, since we are actually the cybersecurity expert for our home offices.
When people feel like what they do can change things, they are more likely to follow through. No, this isn’t going to be an overnight change. And I fully admit that I don’t have all the answers on how we get there. But we all need to agree and work to that end. I think only then will people almost always follow security training awareness basics. It’s not going to be the 101st article on strong passwords that is the light bulb moment. Instead, the key is to really know that your actions matter.
The Right Tools for the Job
Lastly, remote workers need access to easy-to-use tools. All the security awareness training in the world won’t matter if what people are trained to do is cumbersome or confusing.
This one is simple and easier to achieve. Remote workers need to have exactly what they need to keep their home offices and devices secure, both in terms of technology and information. We shouldn’t have to figure it out ourselves or piece it together with toothpicks and scotch tape. Employers should provide an easy-to-use checklist with links to tools to use and step-by-step instructions.
Remote workers need to know exactly who to call with cybersecurity questions. I see a new role ahead: cybersecurity remote worker liaison, or something of that sort, whose job it is to truly help everyone working hybrid and remote set up a secure environment where they can also be most productive. And no, this doesn’t contradict my previous point. This person won’t be in charge of our cybersecurity; they’ll be our coach and resident expert to help us develop a secure environment wherever it is that we are working.
Security Awareness Training in the New World
The world is in transition, which makes it the perfect time to change our views and processes for security awareness training. Remote work will be a lasting impact of the pandemic. And we have to shift our beliefs, actions and processes to match the post-pandemic reality of cybersecurity.