Employees are the weakest link in any corporate security system. Anyone whose job it is to protect information systems can confirm: No matter how advanced a security technology is, a careless or clueless employee can always stumble into a way to put the infrastructure at risk. If you recently switched your employees to home-working mode (as almost half of humanity has at present), the scope for error is now an order of magnitude greater.
When people work in the office, protection systems and IT staff are there to take part of the burden. It’s no guarantee of perfect safety, of course, but at least the company’s antivirus solution will block phishing sites, and the infosec team can spot anomalies in traffic from an infected machine. IT promptly installs updates to patch the latest vulnerabilities.
Employees switched to home-working mode now have to handle all of those things, and more. Here’s where security awareness begins to play a far more significant role.
Being one’s own IT administrator
What devices do your employees use to work from home? An office laptop in compliance with corporate policies? Great, but it’s still not enough. That laptop is now connected to an unfamiliar home network. What other devices are connected to the router? What kind of router is it? How strong is its password, and who configured the device — and how? If the employee is using a personal home computer instead of a corporate one, you don’t know who else has access to it, what security solution is installed, or whether anyone bothers to update the operating system.
We are not suggesting that everyone has to become a sysadmin guru overnight, but the ability to identify threats and weak points would be a major plus for all. This would stop people connecting to corporate databases directly if the company has made a VPN available, installing fake “flash player updates,” and letting outside “experts” play around with the settings.
Being one’s own data protection officer
What data do your employees use in their daily work? Do they know what confidential information actually means, and what data is a corporate secret? In a perfect world, they’d have learned this on day one, back in the office. However, it’s one thing for an employee to work with a list of EU clients on an isolated office subnet, but something else entirely to access such files from home.
After all, when working remotely, the ability to use an unmonitored, unofficial collaboration tool can be all too tempting. Everyone needs to be quite clear about what data can be sent over unofficial channels, and what must never leave the network under any circumstances.
Being one’s own cybersecurity specialist
Both remote workers and IT experts alike need to understand that the current pandemic is a boon for cybercriminals. We have seen waves of COVID-19 phishing, both mass efforts and those targeting specific industries. Some crooks try to pull off BEC attacks, hoping their messages will slip through in the surging flows of telecommuting correspondence. Our security technologies have detected corporate infrastructures subjected to constant scans from the outside in search of open RDP ports. That’s reason enough to double down on vigilance.
How to train employees in this environment
Start by conveying the idea to employees that they are now far more responsible for information security than ever before. That may seem obvious to you, but it simply doesn’t cross many people’s minds. Next, raise their level of security awareness. Sure, there are no face-to-face cybersecurity sessions at present, but our distance-learning programs more than compensate for that. And we are constantly updating and improving them.
The easiest way to set up remote cybersecurity training is with our Kaspersky Automated Security Awareness platform. It not only keeps employees informed about the latest threats, but also teaches them how to resist those threats. What’s more, the manager has control over the process and can set up the training program remotely. The lessons were created by specialists in the field of education and psychology, who made the material both catchy and memorable.
Just recently, our experts added two training modules on the hot topics of confidential data and GDPR. The first is for employees who work with personal data, commercial secrets, or internal documents. The second is for companies whose clients or employees include EU citizens.
In addition, our training experts, together with Area9 Lyceum, have created a complimentary module that consists of two major parts. The first teaches participants how to organize a secure working-from-home environment. The second is not about information security at all, but how to minimize the risk of contracting COVID-19. The module is available here.