Millions of employees are now working from home as a result of the COVID-19 pandemic. Meanwhile, business is booming for cybercriminals: We’re seeing a recent and unprecedented surge in successful cyberattacks. Worse, the cost of those attacks is climbing exponentially and is expected to hit as much as $6 trillion annually by next year.
To address the problem, executives must reexamine their assumptions about security and the systems they have relied upon in the past. Here are some tips to keep in mind when evaluating best practices for secure remote working.
Focus on security awareness and training
Many cybercriminals prey on human fallibility. Email phishing attacks are an all-too-common example of this. In email phishing, success relies on two things: accessibility and naivety.
[ For more advice, read Remote work security: 5 best practices.]
Access has become less of a hurdle for cybercriminals as email systems like Gmail have become ubiquitous in business operations. Since these systems let anyone send and receive messages, cybercriminals simply play a numbers game. They flood employee inboxes with the right message, and eventually an employee who is not trained on how to spot the warning signs or who fails to pay proper attention will take the bait.
The likelihood of this happening is much higher than you might expect. Our report, Odds of a Bad Bet, recently suggested that the chances of an employee spotting a phishing email are as slim as hitting a specific number on the roulette wheel. This issue is widespread and affects all industries: In 2019, 966 government agencies fell victim to ransomware attacks, many of which started from an employee email.
In the workplace, most employees are protected by some level of perimeter-based security and support. Anti-spyware or firewall settings block most phishing emails from reaching employees, and onsite IT teams can help immediately advise and address the situation if an attack does occur.
Remote workers, on the other hand, are more exposed and increase the risk of spreading damage throughout their company’s interconnected systems. To help combat this challenge, it’s crucial for companies to provide cybersecurity training for all employees. This training should include the following basics:
- Educate employees on the repercussions of a successful cyberattack/breach. This is important because many breaches happen when employees don’t recognize common weak points and don’t understand how catastrophic a successful cyberattack can really be.
- Provide practical examples of how different roles in your business might come across risky scenarios in their daily operations. Discuss the repercussions in layman’s terms, and include detailed real-world examples of how cyberattacks have crippled companies.
- Offer specific, actionable tactics for employees to use. Train them to diligently scrutinize everything that comes into their digital space and ask them to authenticate everything to the best of their ability. This means encouraging them to be suspicious of domains, names, messages, or subject lines that may look slightly “off” or that they do not immediately recognize.
- Prepare employees for a worst-case scenario. No cybersecurity defense is 100 percent bulletproof, and if a cybercriminal slips through the cracks – even if everyone has done their part correctly – it is important to ensure that everyone on your team knows how to handle the situation.
A recent Deloitte study showed that fewer than half of companies that claimed they were prepared for a crisis had up-to-date policies in place or guidance on how to communicate safely during the crisis. Preparedness can make or break your company. You cannot minimize the damage from a security breach and ensure continued business operations without having up-to-date security policies and a crisis plan in place.
[ Want a real-world example of how CIOs train? Read also: How to fight deepfakes and ransomware: Better security training. ]
Security is a mindset, not a checklist
Implementing employee training and boosting awareness of security best practices are critical steps to safeguard your company against malicious cyberattacks. Even the U.S. government is exploring mandatory employee cybersecurity training, appointing state-wide cybersecurity coordinators, and banning the payment of ransomware demands.
However, one-time sessions, annual workshops, or expert-led seminars featuring online quizzes are unengaging and ineffective. In addition, isolated training initiatives cannot keep up with the rapidly changing cybersecurity environment in which cybercriminals are constantly figuring out new and more sophisticated ways to launch attacks.
Instead, strive to build a culture of security into your workforce. Security is a mindset that should be consistently at the forefront of all operations. Offer your employees frequent opportunities to apply and refine their security skills. Keep them informed of the latest threats and tactics from bad actors. And always maintain the broader perspective, focusing on how security aligns to the success of the entire business.
[ How do containers help manage risk? Get the whitepaper: Ten Layers of Container Security. ]