The widespread adoption of remote and hybrid work has brought with it increased flexibility for employees, who may be logging on to the same virtual meeting oceans apart from their colleagues. This flexibility goes a long way in supporting working parents and caregivers, as well as other employees seeking greater autonomy in when and where they work.
However, this flexibility has brought with it increased risk for businesses around cybersecurity. Without practicing vigilant cyber hygiene, remote and hybrid workers alike can fall victim to cybercrimes like phishing and ransomware attacks. Ahmar Abbas, CEO of Xtreme Labs, LLC, explains that remote and hybrid work can sometimes necessitate using personal devices and networks that aren’t protected by robust corporate security protocols. Further, smaller organizations that may have successfully built a “strong cybersecurity posture” in physical office locations often don’t have the capacity to do the same for a dispersed workforce.
What’s more? Hybrid workers may be even more at risk than fully remote workers: A Fortune article explains that, “While completely remote workers can be segmented in a way that protects central networks, hybrid workers expose these networks to risk every time they return to the office and reconnect, potentially bringing with them malware they picked up.”
The good news is that, according to Microsoft research, basic cybersecurity hygiene protects against 98% of cyberattacks.
Before we dive into what basic best practices employees can leverage to protect themselves (and the company) online, and how cybersecurity training can help reinforce them, let’s take a deeper look at the business case for cybersecurity training in the age of remote and hybrid work.
The Business Case
When it comes to cyberattacks, it’s not a question of “if” you will be attacked, but “when” you will be attacked, says Jon France, chief information security officer at (ISC) ², Inc., a nonprofit organization specializing in training and certifications for cybersecurity professionals. If companies don’t invest in cybersecurity training for their workforce, they “will inevitably become more vulnerable” to cyberattacks that can have detrimental financial and legal consequences, such as the loss of intellectual property, accidental data leakage, a damaged company reputation and even increased turnover, France says. Companies experiencing cybersecurity challenges can leave employees feeling unprotected on the job — and cause them to seek a safer, more secure work environment elsewhere.
Even a small mistake can lead to some of the very real consequences outlined above. As Mark Burke, senior director of custom learning solutions at Judge Learning Solutions, a supplier of enterprise learning and performance support solutions, says, “It’s the little things people do that can result in a big problem.” For instance, a remote worker leaving their laptop unattended in a coffee shop or using public a Wi-Fi network to access sensitive files may seem like “no big deal” — until their laptop gets stolen, or the files manage to get leaked.
Even if it doesn’t lead to dire consequences, “innocent mistakes” can cost the business time and money to investigate, says Corey Hynes, executive chairman at Skillable, a provider of virtual information technology (IT) training labs.
Companies can prevent cyber threats proactively by training all employees — whether they are in person, remote or hybrid — on critical cybersecurity best practices.
3 Tips for Effective Cybersecurity Training
Training is a powerful antidote to cybercriminals looking to take advantage of unaware employees — but getting cybersecurity training “right” can be difficult, especially when training a large, dispersed workforce.
To ensure your cybersecurity training is effective, consider the following best practices:
- Start with the basics.
When training non-information IT and cybersecurity professionals, it’s important to start with the basics. While IT and cybersecurity experts are likely well-versed in the world of phishing and data breaches, non-cybersecurity professionals probably aren’t. Thus, training should address foundational best practices for cyber hygiene, such as:
- Use strong passwords and multi-factor authentication (MFA).
- Be aware of phishing emails and scan all messages for phishing warning signs (i.e., grammar or spelling errors, inconsistencies in email addresses, links and domain names, an unfamiliar tone, threats or a sense of urgency, etc.).
- If the company has not done so already, install antivirus and malware software on work devices and scan for viruses regularly.
- Update your software regularly.
- Back up important files to the Cloud regularly.
- Don’t click on suspicious links or attachments.
- And perhaps most importantly — if you see something, say something: It’s critical that employees speak up when they spot a potential threat, France says. Encourage your learners to report any suspicious activity or incidents, and clearly outline the process for doing so.
Once your basics are covered, you can consider training employees on more advanced cybersecurity topics, as needed, based on their applicability to learners’ day-to-day job roles. But developing a strong, foundational culture of cyber hygiene is a great place to start.
- Make it interactive.
For cybersecurity training to be effective, “it’s not enough to simply show a video,” Hynes says. The training must be hands on and interactive. Simulations are one way to put learners in a real-world scenario where they can practice fending off potential threats, such as identifying a phishing email that looks like it came from the company’s CEO, he says. Giving learners a safe environment in which to practice these skills, repeatedly, is critical.
Abbas agrees that all cybersecurity training should have a “substantial hands-on component.” As more companies implement cybersecurity systems and tools to protect the dispersed workforce, learners need hands on, interactive training that walks them through what these systems are, and how to use them effectively.
- Keep it up.
When it comes to cybersecurity, you don’t provide learning until employees “get it right,” you provide it “until they can’t get it wrong,” Hynes says. In other words, cybersecurity training isn’t a one-and-done endeavor. It’s a continuous commitment to protecting the company and its employees.
In addition, it’s important to update your training initiatives as cyber threats evolve, Abbas says. The updated training should be consistently rolled out. Only then, he says, will training outcomes “become meaningful.” Delivering continuous, up-to-date training can keep key cybersecurity best practices top of mind for learners.
As the world of work continues to expand across borders, the need for effective cybersecurity training, for all workers, will continue to rise. And, because cyberattacks aren’t a matter of “if” but “when,” cybersecurity training isn’t something that should be put on the backburner. As France says, don’t sit back and wait for cybercrime to happen — be proactive.