Oseloka Obiora, CTO at RiverSafe, considers the cybersecurity education of remote workers: and how they can protect their vulnerabilities from hackers
According to data from the Office for National Statistics (ONS), 16 per cent of the UK’s workforce work exclusively remotely. And hybrid working is on the up too, with around 40 per cent of people working from home at least once a week. That’s up from just 12 per cent in 2019.
This rise in remote working brings a whole host of benefits (and unique challenges) for employees and businesses alike. But it also significantly increases an organisation’s vulnerability to cybersecurity threats. Personal devices, unsecured networks, new communication tools like video conferencing software, and even physical isolation from peers and colleagues can make remote workers more susceptible to cyberattacks—and more likely to develop poor cyber hygiene habits.
Bad actors have been quick to cash in on this growing attack vector, with social engineering attacks like phishing on the rise. Most recently, cybercriminals have been exploiting the cost-of-living crisis, tempting users to click links promising energy or tax rebates. And this isn’t just a problem for individuals; approximately 91 per cent of cyberattacks on businesses begin with a phishing email to an individual target.
With more widespread remote work seemingly here to stay, businesses need to update their cybersecurity strategies to account for these amplified vulnerabilities and protect their evolving digital landscape. The most powerful weapon you have in your arsenal when it comes to shoring up your cybersecurity posture is education. Teaching your remote workforce what to look out for and how to protect themselves will go a long way toward protecting your business against cyberattacks and data breaches.
Here are a few ways you can empower your remote workers and teach them how to protect themselves, their devices, and company data from hackers.
Leverage security tools and instil best practice
Many of the technical aspects of maintaining a secure digital environment will be managed at the back end of your systems. Setting up things like VPNs, firewalls, MFA and making sure software is patched and updated regularly are the responsibility of your security team, but there are a few things that lie in the hands of users: passwords, for example.
Anyone who’s created an online account recently will be familiar with modern password standards. But that doesn’t mean that employees will always come up with the sort of strong, unique passwords that are challenging to crack. Often employees will use the same password for multiple accounts for ease which can comprise multiple accounts if just one account is breached.
The safest passwords aren’t usually the easiest to remember, so encourage your remote workers to use good passwords by giving them access to secure password generators and managers so you don’t have to trade organisational security for user convenience.
Make sure your users are aware of other basic security tools and best practices like:
•Covering webcams when not in use so that attackers don’t have visual access to your environment even if the system is compromised
•Using only approved business devices while at home, not allowing others in the household to access company devices, and not working from or transferring data to personal laptops
•Using only secure networks and avoiding public or open Wi-Fi that anyone can connect to and potentially use to intercept your data
Deliver engaging training
Online training sessions will help educate remote workers on cybersecurity best practices. These sessions should cover topics like how to identify phishing emails and how to secure home networks. Try to make any education around cyber security interesting, and remember that people tend to remember stories and anecdotes better than straight facts.
Conduct sessions periodically to help remote workers keep up with the latest threats, particularly those that are most relevant to your organisation and industry. The Mitre Att&ck Framework can be a useful tool in planning your training strategy, alerting you to emerging tactics and attack types that you can relay to your remote workers and help them take a more proactive approach.
Take advantage of gamification too, and employ interactive elements like games and quizzes to keep users engaged with learning about cybersecurity.
Remind little and often
Bake cybersecurity awareness into your regular communications, so workers don’t come to view it as a ‘set-and-forget’ kind of task. There’s more to cybersecurity than changing your password every once in a while, and your workers need to understand that to build awareness and resilience.
And don’t just send periodic reminders and veiled threats about sticking to policy. These kinds of communications can feel like nagging, and will quickly be ignored by recipients. Instead, share information, access to resources about cybersecurity, articles about breaches put into context from your organisation’s perspective, interesting videos; anything that furthers awareness and keeps cybersecurity top-of-mind.
Encourage reporting
Reporting is vital to keeping your organisation secure. Even with the most advanced SIEM and UEBA solutions in place, you won’t pick up everything. Intel from your workers is important to see how your business is being targeted, particularly when it comes to social engineering. Ensure you have instilled a zero-blame culture meaning that if someone has compromised their account, they don’t feel as though they have to hide it for fear of being penalised. Zero-blame cultures ensure that attacks get reported and any damage can be minimised, faster.
Encouraging remote workers to report on any suspicious activity or events they come across also boosts their awareness of what to look for, and helps their understanding of cyber threats stick. After all, many people learn best by doing.
Cyberattacks are getting more sophisticated and harder to detect—and your attack vector isn’t getting any smaller. Educating a dispersed, remote workforce about cybersecurity can feel like an uphill battle, but equipping all employees with the information and tools they need to shield vulnerabilities and protect themselves from hackers is the best way to ensure the ongoing security of your company’s most valuable assets.
About Oseloka Obiora
He’s worked as an independent Information Security consultant for large enterprises prior to founding RiverSafe Ltd, specialising in delivering Network Security and Threat Management solutions in various industry sectors, running these technical projects from cradle to full operations. With over 16 years’ experience working in information security, Oseloka has worked on Threat Management implementation and optimisation projects for the likes of BP Oil, Royal Bank of Scotland, Thomson Reuters, and IBM Global Services. He has also served as a Security Architect for UBS and Philips Innovation. He is a regular speaker at cyber events and recently spoke in the Houses of Parliament, to MPs and industry leaders about the growing threat posed by the increasing volume of sophisticated cyber attacks. Oseloka has a B Eng in Mechanical and Production Engineering and also holds a number of industry and vendor certifications (CISSP, SANS GIAC, IISP, Cisco, Splunk). He is a founding member of the IoT Security Forum and a member of ISSA.
