Cybersecurity training in a remote work environment

It is no secret that the U.S. has been victim to an increasing number of cyber attacks in the last year, but many organizations are left wondering how to respond. Credit unions, in particular, are facing a growing demand, and an unavoidable need, to mitigate risk especially when it comes to protecting member data.

The challenge is exasperated by the remote work environment that is seemingly here to stay beyond the pandemic. It was hard enough to keep employees updated and aware of potential cyber threats when everyone was in person. Now organizations have to consider home environments and behaviors in addition to those within the physical office space.

Our team shares a few tips for how to train employees to help your organization mitigate risk.

• Education and Awareness

The number one way a company can minimize its risk for a cyber attack is to reduce the attack surface. However, if people aren’t aware of the steps they should be taking or what they should be looking out for, organizations aren’t able to leverage their first line of defense – their employees.

For an employee to be able to identify a potential cyber attack, they have to know what they are looking for. Attacks have morphed and evolved in recent years and hackers are getting more and more sophisticated. The first step to training employees is to inform them about the types of attacks occurring and what to look for, and avoid. Since we have an increasingly distributed workforce with employees working anywhere, the attack surface is growing as hackers use social engineering to phish and acquire user data in targeted attacks.

• Security Habits

In the “past” when we all worked together in the office, it was easy for employees to pop their head over a cubicle or knock on the office door down the hall, and ask a colleague if they thought an email or text message they received was odd. Today, in our isolated environments, it’s harder to get a quick response – often, if an employee asks a colleague, it’s through an email or Microsoft Teams message that might never receive a response.

In reality, the colleague next door isn’t the right person to ask anyway. The next step in training employees is to empower them to know who to contact about a suspicious event. Encourage your staff to always ask questions and always be curious. Employees should be able to detect when something seems out of place or unusual, and know the people to notify. Simulation exercises are a great way for employees to recognize situations that should be avoided or flagged, and to understand the process for notifying the right people in the event of a potential or perceived threat.

• Mobile Device Management

With employees working remotely using a number of different devices, the burden rests on organizational leadership to ensure that the right controls are in place. Organizations should limit who can access data and apps on certain devices, and who has access to data in general.

One way to address this is by implementing a Zero Trust policy. According to Microsoft, “Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to ‘never trust, always verify.’ Every access request is fully authenticated, authorized, and encrypted before granting access.”

Two-factor authentication proves a user’s identity by requiring two ways to verify a user. This uses a combination of something you know (a password), something you have (cryptographic identification device; token), and something you are (biometrics). Using a Zero Trust policy coupled with two-factor authentication provides one of the best ways to protect systems from attack by proving the identity of the user.

A cyber breach is unavoidable but with the right partners, and ongoing training, organizations can mitigate risk and better prepare for an attack to minimize damage and downtime.