Do you want employees to be able to keep their personal information and organizational business data safe while they are working from home, as well as from the office, in 2022? This article offers basic background about cybersecurity risks and the importance of dealing with them effectively. Some people may already know some of the ways to keep information safe online, but they're worth repeating just in case. In the series of articles that follow, you will find additional top practices in planning employee cybersecurity training.
Why now?
Organizations seem to be poised to bring employees back to the office in coming months. It is also true that many employees are going to continue to work from home in 2022 and in a variety of arrangements, including part time, full time, and some form of hybrid set-up. The details of cybersecurity practices may vary from one of these situations to the next, so the focus of training will need to include what to do in identifying possible security breaches, when to do it, and how to do it.
Tailor the training to the situation
Employees might have a security mindset shaped by their consumer experience with online threats and security, but not business requirements and best practices. This is also true for employees working from more traditional office settings and from the field or customer facilities. That's why it's important to tailor training to align accordingly with various employees’ current circumstances—whether this means changing certain behavior patterns such as using two-factor authentication, making sure employees know how to use installed anti-virus software, and how to spot attempted breaches and deal with them correctly.
Why bother?
Most people, especially when online at home before WFH (Working From Home), never gave much thought to the possibility that their personal information or their privacy was at risk. Sometimes credit card companies or banks send warnings about suspicious transactions. Even so, only one person in five ever receives such warnings. Awareness is pretty low. Scammers and thieves make fortunes. With the ongoing coronavirus situation, we already know that hackers, scammers, and spoofers have become more active. They know many people are working from home, without the cybersecurity protection they would have when working from their offices. There is more opportunity to steal sensitive information.
That’s why this is a big deal.
The basics
Here are some issues that instructional developers should address in cybersecurity training in 2020. As I suggested at the top of this article, this will seem really basic to some Learning Solutions readers, but it will be news to others, especially employees working from home for the first time.
Situational awareness
Let’s start with an attitude adjustment. First, employees need to think like attackers, identifying potential threats and spotting dangerous situations. Why? Because there are people “out there” who want to take advantage of unwary employees, steal from organizations, or at the very least acquire information that will make it possible to obtain other details they need. There are no hard “right or wrong” rules about identifying these people, it’s just a mental frame through which you try to view the world.
Social engineering
Attackers have a strategy, also known as social hacking, that serves as a tool for the attackers. This is the use of deception to manipulate people into revealing confidential or personal information that the bad actor can use for fraudulent purposes. Social engineering relies at least in part on the tacit assumptions that people make about other people and their reasons for doing certain things.
The social engineering techniques take advantage of the victim’s tendency to assume that communication from strangers is honest. Some of these techniques have particular names:
1. Phishing
3. Vishing
4. Pretexting
Employees should know about these, how they work, and about any protection they will still be getting (or no longer getting) at home through the employer’s website, apps, and policies. They should also know what to do when they detect one of the techniques, and who to contact.
The basic rule
There is one basic rule for security online. That is: Expect trouble.
The next article in this series will focus on securing your employees. While it is not an employee's fault if they are fooled by an attempted breach, there are certain basic practices that should reduce the likelihood of a successful attempt by an attacker.