The Importance of Security Awareness Training Programs for Remote Workers

Introduction

As the world faces uncertain times, due to the spread of the coronavirus, businesses and public sector organizations security teams are scrambling to put the necessary security controls in place for remote workers. A pandemic of this magnitude has increased dependency on digital communications. The Internet of Things (IoT) has instantaneously become the preferred channel for effective human interactions and communication which has also increased the threat surface exponentially.

Cybercriminals are increasingly exploiting human vulnerabilities via social engineering techniques. The FBI’s national security and criminal investigative division released a statement noting that due to COVID-19 they have seen a rapid increase in phishing scams. Similarly, Homeland Security, the U.S. Secret Service and the World Health Organizations have all issued similar warnings regarding coronavirus-related scams. The UK Department for Digital, Culture Media & Sport released its 2020 Cybersecurity Breach Survey. It found that 86% of businesses reported phishing email scams-indicating social engineering attacks are the preferred methods for cybercriminals.

Remote Workers Role in Protecting IT Systems

However, businesses and public sector organizations cannot protect the confidentiality, integrity, and availability of information assets without ensuring that all people involved in using and managing IT systems: “understand their roles and responsibilities related to the organizational mission; understanding the organization’s IT security policy, procedures, and practices; and have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible”(NIST, 2003).

This why it is crucial at this moment for organizations to routinely conduct security awareness and training programs to ensure their user based are equipped with the right skills to protect the systems they have been entrusted with. The need to conduct awareness training programs has become even more critical with the majority of businesses being forced to implement telework policies

What is An Awareness Training Program?

Security awareness is intended to change behaviour or reinforce good security practices. Organizations must distinguish between awareness and training. The point of teaching security awareness is purely to bring organization users based attention to security. Security presentations are meant to allow employees to understand IT security concerns and how to respond accordingly. When employees are participating in awareness activities, they are receiving information, however, in a training environment, the participants of the program play a more active role.

Awareness is about reaching a broader audience in an organization. Training is more formal and is about equipping the participants with the right security skills to avoid falling victim to cyber-attacks. For example, an awareness topic can be about the different social engineering techniques employed by cybercriminals. This can be done by simply explaining what social engineering is, the types of social engineering attacks, what can happen if they fall victim to social engineering, and similarly what to do if they become a victim of social engineering attack.

As previously stated, the training aspect of awareness training programs is to equip the organization’s IT user base with the right security skills and competencies needed to perform their job effectively. Training should focus on certain skills that an individual can use. The biggest delineation point between awareness and training is that training seeks to teach skills, which allows a person to perform a specific function, while awareness seeks to bring a user’s attention to a specific issue or set of issues. For a company security program to be successful and to reduce the risk of human errors, employees must understand basic security principles and how to apply it practically.

NIST special publication 800–50 suggests an IT training course for system administrators, “Should address in detail the management controls, operational controls, and technical controls that should be implemented. Management controls include policy, IT security program management, risk management, and life-cycle security. Operational controls include personnel and user issues, contingency planning, incident handling, awareness and training, computer support and operations, and physical and environmental security issues. Technical controls include identification and authentication, logical access controls, audit trails, and cryptography”(NIST, 2003).

Conducting a Needs Assessment

Organizations have to conduct a need assessment before the awareness and training program begins. According to NIST, a needs assessment is a process that can be used to determine an organization’s awareness and training needs”. This will allow organizations to ascertain their strength, and weaknesses and design an awareness program to meet the identified training needs. An organization can use different tools and methods to determines its overall security needs. The tools that are chosen to identify those needs should be selected based on the understanding of the organization’s culture and conventions, as well as knowledge of the organization’s size, and workforce complexity. Certain stakeholders within the organizations should be consulted during the needs assessment, such as the executive management team, security personnel (security program managers and security officers) and system Owners.

Using Metrics to Measure the Success of the Awareness Training Program

An effective awareness and security program needs to set metrics to help determine the success or shortcomings of the program and adjust accordingly. Metrics are tools that organizations use to facilitate decision making, improve performance, and accountability. Without good metrics and the corresponding evaluation methods, organizations cannot accurately evaluate and measure the security awareness and training program. As noted in a NIST publication,800–55 “Effective security metrics should be used to identify weaknesses, determine trends to better utilize security resources, and judge the success or failure of implemented security solutions.”

Some Risky Behaviours Remote Workers Should Avoid

Some of the basic security tenets for all employees to know is, legitimate businesses and organizations will not request personally identifiable information (PII). Employees should always verify any hyperlink before clicking on it. Be distrustful of any email insisting on immediate action. They should watch for spelling and grammar mistakes, this is not to say that well-written sentences cannot signal a phishing scam-generic greetings or an unknown sender are other indicators. The best protection is being aware of the different methods and techniques used by cybercriminals. Remote workers should get into a security mindset and assume every email or hyperlink they click on could be malicious.

Only Use Company Issue-Devices

Remote workers should only be allowed to use company-provided devices. This is because company issue devices meet minimal security standards. Their software has been program to meet the precise needs of the user within the company environment and hopefully, the latest security patches have been installed. Similarly, the hardware is designed to work within a corporate network. The introduction of personal devices introduces new risk and increase the attack surface. If this requirement can not be met, personal devices should be vetted by the employer’s IT security team before being used for company work.

Sharing a Laptop or Computer and Communicating Confidential Information

Remote workers should avoid sharing their company-issued devices with anyone. Employees working remotely are often tempted to share their laptops with close friends and family members for online use. This behaviour could potentially put the organization security program at risk because it exposes the laptop’s data to potential hacking since no authentication is necessary to establish a network connection, especially when it comes to Public Wi-Fi. When this occurs threat actors can easily intercept and monitor all the confidential data being transmitted over the network. Employees need to remember, not to communicate any confidential information to anyone.

Conclusion

For information, security specialists their number one priority is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The information security literature concludes that people are one of the weakest links in the security chain. The opportunities for employees to make mistake and compromise important informational assets has increased exponentially with organizations forced to implement telework policies. To address this issue, NIST suggests organizations should implement “a robust and enterprise-wide awareness and training program to ensure that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them”(NIST, 2003).