The CISO’s Russian Roulette: Not Training Remote Employees

Are you failing to provide training to your remote employees? That could jeopardize the continuity of your business.

The risk related to employees suddenly just skyrocketed after millions of people moved entirely to working remotely. This provides millions of endpoints for social engineers to penetrate, utilizing people’s fear, uncertainty, and lack of skills and knowledge on recognizing threats.The human risk is enormous. It’s like playing Russian roulette. The bullet is loaded into the revolver, the cylinder is spinning, and the gun is at your defenses. It’s just a matter of having one employee fail, and then that gun could be fired.

At the moment, we are so reliant on digital infrastructure that a data breach could have a severe impact on the continuity of the business. The consequences of a breach are always disastrous, but now there is more on the line.

Approximately 99% of people want to work from home, but there is a problem.

Remote work has been a trend for years among innovative startups, and other companies have followed to satisfy their workforce. Just recently, because of the COVID-19 pandemic, many companies have needed to accept that remote work is happening regardless of whether they like it or not.

In the future, more employees will expect their employers to offer the possibility of working from the peace of their homes. In Buffer’s State of Remote Work 2019 survey, 99% of the respondents said that they wanted to work from home at least sometimes. The main reasons were flexibility in the schedule, working from any location, and spending time with the family. The majority of the respondents worked from their homes, but other preferred places are coffee shops, libraries, or holiday rentals during travels.

The luxury of remote work comes with a set of cybersecurity challenges. When people work from home or public places, the attack surface becomes massive, and your human risk increases significantly. Sadly, attackers know this, and then they try to use this to their advantage.

90% of Remote Workers are Not Secure

This might come as a surprise, but 90% of remote employees are not secure. Every action users take while working from the peace of their homes is a potential risk.Here are the most common factors that make remote employees vulnerable to attacks:

A lack of two-factor authentication
A lack of strong passwords and password managers
A lack of access control
Employees using their own devices – these could fall through security cracks (46% admitted that they use their own devices for work)
Problems with network and VPN configurations
Using Wi-Fi that is not secure (e.g., working from coffee shops)
Incorrect setups
Not updating software and application frequently
As employees are not on the organization’s network, companies don’t have full control
Phishing emails and malware

To improve security, have a policy in place, and focus on implementing at least multifactor authentication, strong password policy and use of password manager, VPN, use of secure Wi-Fi, EDR solution, encryption, data backup, antivirus software. Also, reinforce the necessity of installing updates as soon as they are released, and provide essential security training for a remote workforce.

You must allow remote work for various reasons in the future too. You also must prioritize the security of your data.

Consequences of a Data Breach: Now More Disastrous Than Ever

It is never a good time for a data breach, but surely right now is a terrible one. The economic impact of the pandemic has been so severe that a breach could take an even more significant toll on businesses than usual.

Even during peaceful times, the consequences of a data breach include loss of productivity, lawsuits, fines, and damage to the reputation in the business.According to IBM’s Cost of Data Breach 2019 report, the average cost of a data breach for a business is 3.9 million US dollars. The United States has the highest average cost of a data breach, with 8,19 million US dollars. Only 67% of the costs occur during the first year, and some costs could also occur 2 years after the breach.

The total cost of a data breach was broken down into four cost categories by IBM: detection and escalation, notification, post-breach cost, and lost business cost. Already in this breakdown, lost business cost accounts for the biggest chunk. Disruption in the ability to continue business operations comes with huge costs as it can hinder or stop the delivery of the products or services entirely. Now, when all businesses rely on digital infrastructure to continue business as usual, minimizing the chance of a breach is vital.

According to the Infosecurity Magazine, hacking and phishing attacks were up by 37% – as much as six times their normal levels. There has been an increase of over 600% in COVID-19-related attacks targeting employees. It proves that providing protection for the remote workforce should be seen as a top priority.

Right now, it’s not just your data at serious risk, but also whether you can keep your business running during these remote working times.

Not Training Remote Employees Is a Hazardous Game

We all know that the bullet could be fired at any time, despite the fact that you are already doing a tremendous job of mitigating the chances of an attack. One small mistake could result in a disaster. There is no 100% secure protection against cyberattacks, but you can always lower your risk profile.If you are not securing your remote employees, you are gambling with the security of your assets. On the list above as to why remote workers are not secure, a majority of the items are things you have control over, and you can ensure that security measures are being applied to them.

You should be concerned about phishing emails and malware attacks. Having good anti-phishing protection software is not enough. Some attacks will slip through your filters. When that happens, you need to rely on your remote employees.

When malicious emails hit the inboxes of your employees, all the emails will become bullets that could fire at your defenses at any time. Now, when people are spending more time online in their homes – where they can’t even count on asking a coworker whether a suspicious-looking email is legit or not – they need to rely on their knowledge alone, and it’s your responsibility to train them.

Security Training Can Decrease Human Risk

You need to be able to rely on and trust your employees that they can fight off attackers by recognizing risky emails. Security training is the key to that. Training must have an impact on people’s confidence and ability to identify threats and do the right thing: reporting them to the security team and never clicking on the links and attachments. Training is your best chance to reduce risk, and you will sleep better at night.You can use simulations to train employees on recognizing possible threats. Training should be up-to-date so that it reflects actual emerging threats, just like the COVID-19 vectors that have been storming people’s inboxes during the last few weeks.

Practical training focuses on more than just raising awareness about cyber threats. Good training provides remote employees with an aha moment. They will recognize the surprising amount of threats they receive, and they will watch out for those. The training must be a tangible tool for employees to learn to spot emails that could potentially harm your company. People should learn more than to recognize these emails and not click on them. It’s a safer bet if they report it every time so that the threats can be analyzed and remote employees can get feedback on whether it was malicious or not. When you make reporting a priority, and the process is simple enough, you can do a better job at mitigating incidents.

The other week, a CISO told us: "I am not afraid of the kid that’s trying to penetrate our tech defenses, but I am terrified that our employees may make a mistake and what it could cost us.”Stop playing Russian roulette, and make sure the revolver is not loaded; start investing in your employees like they are the most critical asset to your defense strategy. You can only prevent yourself from firing a bullet by educating your remote workforce.