COVID-19 has brought some unique challenges to IT and cybersecurity teams, largely because this is likely the first time most Canadian organizations have to learn how to manage a remote and distributed workforce.
Practically overnight, several key areas were flipped on their heads as it seems like the entire economy has shifted online.
Remote workers face different risks than they may have faced in an office setting. For example, an employee’s home Wi-Fi network is likely not as secure as their office building’s network.
New tools and software have been introduced to not only allow people to work safely, but to enable them to work at all. Employees may be using a VPN or accessing a shared file repository for the first time.
IT and HR might have to roll out new policies to provide structure around using personal devices for work activities, or may be creating general work-from-home policies for the first time.
And finally, many business processes have to shift, such as how an organization approves financial transactions.
These are all areas that IT has a hand in, and each introduces new cyber risks to employees. People aren’t suddenly more safe now that they’re cozy in their pyjamas working on the couch—it’s quite the opposite.
Now more than ever, IT teams need to be proactive in pushing new tools, processes and policies to their users in a way that is easy, consistent, and packaged so that their effectiveness can be tracked.
This is where a cybersecurity awareness training platform can help out.
Educate on new risks and scams
Working from home presents a ton of unique risks that might not be relevant when someone only works in an office. Home Wi-Fi, working in a network with IoT devices, and having your devices accessible by family members and roommates are some of the more obvious ones.
Now is an excellent time to be assigning new training material to your users that cover these types of threats and risks.
We’ve released a free training course from our own platform’s library which covers cybersecurity fundamentals for remote workers. This course is contextual to the current situation, which is powerful when trying to change perception of a risk. A course might provide awareness and knowledge of a problem, but if the context isn’t there, an employee might not perceive that problem to be a big deal.
There’s also a ton of COVID-19 related phishing scams happening, especially through SMS as government programs roll out for financial relief. A crisis can also compromise someone’s emotional and psychological state, making them more likely to fall for a scam.
Depending on the nature of your organization, now might be a good time to roll out spear phishing tests. Here are a few templates you should consider testing and educating around:
- CEO and financial fraud, especially as organization’s adopt new processes for financial transactions
- Government relief programs and information from news outlets
- New internal processes and tools, such as logging into a new document or collaboration tool like Dropbox
- SMS-based scams if you have a platform that supports it
Awareness training platforms are for more than just phishing
When most organizations adopt a computer-based cybersecurity awareness training platform, they’re primarily doing it to educate their staff on social engineering and to reinforce that training with phishing tests.
This makes sense—the majority of malicious data breaches come from these types of attacks, so it should be a strong focus of any awareness training program. However, you can conduct training on more than just cyber threats that exist out in the wild.
If you’re introducing new processes or tools to support remote work, you can create custom training courses to support those roll-outs. Some of the custom courses we’ve seen our customers building include training staff on how to use a new VPN, or how to safely and effectively communicate on an instant messaging platform like Slack.
The benefit of having these courses in a training platform is that they will be delivered consistently to all employees, are easily discoverable, and you’ll have access to stats around which employees have accessed the training or not. You can also create quizzes to help reinforce your training.
Link your policies to your training
IT policies are an important part an organization’s ability to have clear rules about what is and isn’t allowed. Many organizations are introducing new policies to address our new working environment, such as BYOD (bring your own device) or personal device policies, VPN and access management policies, and general work-from-home policies that may exist permanently once we’re all back in our offices.
Some training platforms (like ours) allow you to add copies of your policies and assign them to your staff. This is useful when introducing new policies in a hurry, like most organizations are doing right now, in a way that is consistent and measurable.
You can also fold your policies into your custom training material. For example, if you have a new course on “personal device security”, you can append information at the end to discuss your new BYOD policy. That way you’re marrying the education and awareness part of a risk with your organization’s policies and practices about how to handle that risk.
Use metrics and surveys to watch for trends
One of the most powerful features of a cybersecurity awareness training platform is the ability to get a quantitative sense of an employee’s risk level, using metrics like phishing test rates, training completion, and user surveys.
You can use this data to monitor trends over time, which can help you make better decisions about new tools and training to implement in the future.
For example, in CIRA’s training platform, all users get a personalized risk score on a graph that shows change over time. You can see the moment our office went entirely remote a month ago by looking at the change in our risk scores. This type of data can be valuable for an IT team, allowing them to quickly intervene if they notice a specific group of individuals or type of risk becoming heightened as the shift to remote work becomes more permanent.
Connect training to broader cybersecurity initiatives
This is a massive moment of change for all organizations, and IT teams are one of the key leaders in managing that change.
A cybersecurity awareness training platform can help you manage this change faster, in a more consistent and effective manner. You should be thinking of your training program as your main way to communicate with your users about all things IT and cybersecurity, because education is tied to the hip of tools, processes, and policies.
Don’t be afraid to work alongside HR and communications specialists in your organization if you have access to them. They can be great voices in helping you use your training program to roll out important technical information to your employees in this difficult time.
Your people are the last line of defence against cyber threats.