Keeping Your Hybrid Workforce Secure with Cyber Hygiene Training

cyber security with man using a laptop picture id1136383351

More than a year after remote work became the norm, many companies have moved to a hybrid model in which some employees work from home at least some of the time. It’s an evolving mindset that work is something we do rather than a place we commute to and from. With this in mind, security and IT teams must adjust their strategies to effectively manage this new hybrid workforce at scale.

An important aspect of this change involves training your employees on cybersecurity hygiene. That’s because, in many organizations, the employees themselves are one of the most significant cybersecurity vulnerabilities. If this was true when on-site work was the norm, it is even more so in a hybrid work environment. Any time an organization shifts an employee’s workspace and network usage, they may be less adept at identifying phishing attacks, social engineering or other security threats. Because employees are inundated with things to download and procedures to complete, a well-worded phishing attempt might slip through the cracks. The key to mitigating the human risk factor in hybrid workforce cybersecurity is education. The more you can train and teach your employees what to look out for, the better.  As part of Fortinet’s Training and Advancement Agenda (TAA) initiative and NSE Training Institute, the Information Security Awareness Training is available to organizations looking to implement a cybersecurity training strategy for all their employees. 

How hybrid work has changed cyber training requirements

With a hybrid workforce comes the need for employees to access work-based programs and applications from both inside and outside the company’s traditional network perimeter. It also introduces new devices; some employees are using their own devices, and they are likely accessing both corporate and personal resources from it. FortiGuard Labs' recent threat report shows cyber adversaries continue to target remote work and learning in their most recent attach techniques.

Cyber threats are changing all the time, which means training isn’t a “one and done” activity. Organizations need to conduct training on a regular basis to help all employees (not just security teams) understand their role in keeping the organization – and themselves – safe.

This needs to be a meaningful and ongoing effort – not just a click-the-boxes quiz that no one ever thinks about again. A recent report by Cloudian found that phishing attacks succeeded even though 54% of all respondents – and 65% of those who reported it as the entry point of a ransomware attack – had conducted anti-phishing training for employees. Clearly, there needs to be more focus and more follow-up.

Passwords and identity

Passwords are still one of the most important aspects of cyber hygiene. As many employees continue to work remotely or within a hybrid model, it’s essential to emphasize their need for a strong password for all platforms, because they no longer have the same level of onsite IT and security support to help.

Your organization should implement a strong access management policy that maintains strict standards for password creation and requires multi-factor authentication when possible. Employees shouldn’t be allowed to reuse passwords across networks or applications, whether corporate or personal, and should be encouraged to set complex passwords that include numbers and special characters. Consider providing password management software so they can keep track of passwords.

Cybersecurity awareness training

Social engineering attacks are one of the most common ways bad actors infiltrate an organization. It involves using human interaction to obtain or compromise information about an organization or its computer systems. Within this category, one of the most prominent forms of attack is phishing, in which an authentic-looking email “lures” the reader into clicking a malicious link or downloading a malicious document.

Social engineering attacks are extremely prevalent across organizations simply because they work. The 2021 Data Breach Investigations Report from Verizon found that 36% of data breaches involved phishing – up 11% from the prior year. Employees need to be trained about common attacks that could appear in the form of phishing, spear phishing, smishing or other tech support scams. Recognizing these threats will help them avoid falling victim to fake emails or malicious websites.

As well as providing training about typical markers of cyber scams (such as “free” deals), choose training offerings that also feature simulated phishing exercises designed to test knowledge and determine which employees might need additional training. For example, Fortinet’s Information Security Awareness Training offers industry-leading cybersecurity awareness components to educate organizations’ workforce about today’s cyber threats, such as phishing, social engineering, and ransomware attacks, and how to protect against them. The awareness and training service is suitable for the entire workforce, from technical to non-technical employees and contractors.

It’s also important to set up best practices. Even after workers are trained on what to look for regarding social engineering attacks, they may still need some guidance when it comes to next steps. While it is easy to ignore or delete a suspicious-looking email, what about those that appear normal, yet the receiver is still unsure about?

In this case, those heading up training efforts need to encourage employees to ask themselves certain questions to help discern the best course of action, such as: Was I expecting this email? Do I know the sender? Does this email invoke a strong emotion like excitement or fear? Am I being encouraged to act with urgency? While these questions should help clarify whether the email is malicious, the receiver should still take extra steps to protect themselves and their organization. This includes hovering over links to see if they are legitimate before clicking, not opening unexpected attachments, calling the sender to verify they actually sent the email, and reporting all suspicious emails to the IT or security team. By explaining these steps to your employees from the start, you can can avoid negative repercussions down the line.

A group effort

In an age where employees are using all kinds of devices and working from anywhere, the ability to be cyber aware is a critical piece of the cybersecurity puzzle. Whether employees realize it or not, their actions could open the door for cybercriminals to access sensitive information, meaning passivity towards security is no longer acceptable. With an essentially obliterated network perimeter, employee training must be an integral aspect of today’s security strategy. Train them comprehensively and ongoingly so that they can take part in protecting themselves and the organization.

Find out more about how Fortinet’s Training Advancement Agenda (TAA) and NSE Training Institute programs, including the Certification ProgramSecurity Academy Program and Veterans Program, are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.


Copyright © 2021 IDG Communications, Inc.