Bharat Mistry, Principal Security Strategist, Trend Micro

The past six months will be seen as a turning point for organisations and the way they approach work.

Virtual working is fast becoming the preferred way to work for many employees and nobody is expecting businesses to return to the way things were pre-COVID at this point. While this might be seen as a benefit to many employees, it is a potential red flag for CISOs.

If you were worried about insider threats before, the same risks could be many times greater among a newly distributed cloud-based workforce. This is why training is all the more important.

This is evident across multiple sectors, including healthcare with the UK government setting up a £500,000 funding scheme to cover the cost of security training at small and medium-sized healthcare firms.

But it shouldn’t be a matter of creating a blanket cybersecurity training scheme – with the risks less related to education and more to psychology, it’s time for organisations to take a more nuanced approach to employee security training.

Understanding the rule breakers

According to our latest global study of more than 13,000 remote workers found that a majority (85%) of employees take instructions from their IT team seriously and agree that cybersecurity is partly their responsibility (81%). 64% also recognise that using non-work applications on a corporate device is a security risk.

Yet over half (56%) admit to still use these applications and even upload corporate data to them. To take it to its most extreme, other respondents even owned up to using work devices for accessing adult content.

Asked why they continue to ignore security procedures, just under a third of respondents (29%) believe the solutions provided by their company are ‘nonsense’ and will continue to use non-work applications.

These stats should not come as a shock to many businesses. The difficulty security teams have always faced is convincing users that following policies, accepting security controls and using pre-approved apps and devices won’t negatively impact their ability to do their jobs.

But particularly under lockdown, the shift to productivity at all costs has threatened to disrupt this delicate balance. This comes as cyber-criminals look to capitalise on distracted home workers, unprotected endpoints, overwhelmed VPNs, and distributed security teams who may be forced to focus on more pressing operational IT tasks.

With many organisations struggling financially in the wake of government-mandated lockdowns, few will welcome the costs associated with a serious security incident.

Cybersecurity personas

Best practice cybersecurity requires a combination of people, process and technology. However, the people part has historically been neglected, which is one of the reasons why phishing attacks are today the most popular cybercrime threat vector.

Training programmes are too often one-way, one-off affairs which may raise awareness for a short time, but do little to actually change behaviours in the long-term.

Part of the reason for this failure is that they assume all staff members are basically the same. Of course, they are not. Fearful staff members may react well to real-world simulation exercises which allow them to try and experience things that they wouldn’t normally.

They may also benefit from being mentored by conscientious personas, who can be used as security champions in the organisation. Ignorant users need training and practical advice on how to mitigate risks.

To keep them engaged, it may be necessary to use gamification techniques, or again those phishing simulation exercises, which can be updated each time to reflect current scams. It’s also important to recognise that these personas may require additional intervention to help them understand the consequences of risky behaviour. Meanwhile, daredevils are perhaps the most challenging as they don’t respond well to authority.

However, even here CISOs can achieve promising results, perhaps by using reward schemes to change behaviour. Ultimately, no two organisations are the same. CISOs will need to approach this task according to their risk appetite and the type of work remote staff undertake.

The most important thing to bear in mind with user training is to keep lessons short and regular, and act on the feedback you receive to continuously improve courses. These should never be a chore for employees.

With a more considered, personalised approach, CISOs can change user behaviours and build both an effective first line of threat defence and a security-aware corporate culture.