I’ve read what seems like a million articles on how to make security awareness training more effective for remote workers. And honestly, they all seem to say the same thing. Teach employees the basics and give them a list of things they should do to keep your data safe. Almost every article includes the same tips. They say ‘don’t click on unknown links, use strong passwords, don’t access work data over public wireless, always install updates and more.

But if what we’re preaching was really working, we wouldn’t have to keep saying it. Since cyberattacks are still happening, that’s clearly not the case. Now, things are about to shift again. Many employees are moving over the next few months to hybrid work instead of being fully remote. That means new, possibly bad, habits.

We Need New Security Awareness Training 

A recent survey by Tessian found 56% of IT leaders believe employees have picked up bad cybersecurity habits since working from home. They say one in three employees think they can get away with riskier behavior when working remotely.

After hours of thought and research, along with having written many articles on this topic myself, I decided that the problem with employees and security awareness training goes deeper than a list of seemingly simple actions.

I came to three conclusions about what we, as a business and cybersecurity community, need to do to actually change things for the positive. They’re different from what you may find elsewhere. And each one is bigger than just one company; they mark a major shift in how we view cybersecurity awareness training and work in general.

Work-Life Boundaries

 First, we need clear boundaries between work and personal life.

Remote work is here to stay, at least to some degree. That makes us flexible to blend our personal and work lives in positive ways. However, it also means we each have to draw our personal line in the sand. As someone who has worked from home for 13 years, I’ve struggled finding the perfect balance.

This struggle bleeds into cybersecurity as an issue security awareness training often can’t solve. Remote workers often feel a constant need to both work and live our personal lives. This leads to people checking work emails over public wireless, using personal devices for sensitive data and countless other poor practices. Multiplied over every employee, this adds up to a substantial risk for companies. A lot of these risks happen because employees feel like they need to be always on and always up for working.

So, the key is to push back and draw our lines better. This only happens if companies stop expecting employees to be able to work at any time. Of course, there are times when personal needs and work have to blend. But those times need to be the exception, not the expectation. When approached in that manner, I think it becomes easier to follow security awareness training on those rare exceptions because it doesn’t happen that often. Even if people don’t remember their training every time, the risk goes down for companies simply by reducing the volume of exceptions.

Security Awareness Training for Everyone

Next, every single person, remote workers included, must feel they have an important role to play in keeping digital assets safe. 

It’s easy to view IT as someone else’s issue. After all, we have whole industries, departments and careers devoted to it. But really, every person is in charge of their own cybersecurity, both personally and at work. We must take responsibility for our actions and feel that we are in charge of keeping infrastructure and data safe. This is 100 times truer for those of us working remotely, since we are actually the cybersecurity expert for our home offices.

When people feel like what they do can change things, they are more likely to follow through. No, this isn’t going to be an overnight change. And I fully admit that I don’t have all the answers on how we get there. But we all need to agree and work to that end. I think only then will people almost always follow security training awareness basics. It’s not going to be the 101st article on strong passwords that is the light bulb moment. Instead, the key is to really know that your actions matter.

The Right Tools for the Job 

Lastly, remote workers need access to easy-to-use tools. All the security awareness training in the world won’t matter if what people are trained to do is cumbersome or confusing.

This one is simple and easier to achieve. Remote workers need to have exactly what they need to keep their home offices and devices secure, both in terms of technology and information. We shouldn’t have to figure it out ourselves or piece it together with toothpicks and scotch tape. Employers should provide an easy-to-use checklist with links to tools to use and step-by-step instructions.

Remote workers need to know exactly who to call with cybersecurity questions. I see a new role ahead: cybersecurity remote worker liaison, or something of that sort, whose job it is to truly help everyone working hybrid and remote set up a secure environment where they can also be most productive. And no, this doesn’t contradict my previous point. This person won’t be in charge of our cybersecurity; they’ll be our coach and resident expert to help us develop a secure environment wherever it is that we are working.

Security Awareness Training in the New World

The world is in transition, which makes it the perfect time to change our views and processes for security awareness training. Remote work will be a lasting impact of the pandemic. And we have to shift our beliefs, actions and processes to match the post-pandemic reality of cybersecurity.

More from Cloud Security

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today