Cybercrime remains a worldwide threat, with businesses of all sizes increasingly being targeted. As such, organizations must take appropriate steps to safeguard their digital assets, a strategy that must include comprehensive employee training.
COVID-19 & the Shift to Digital Work
COVID-19 has fundamentally changed how we go about our lives, go to work, and do business, and our cybersecurity strategies need to reflect this change. Working from home has become the standard for many employees, and even once the pandemic subsides, many employers may continue to favor remote work over office-based working arrangements. As such, organizations need to invest in digital transformation to reduce potential future disruption, a step many companies are already taking.
In his most recent letter to shareholders, Palo Alto Networks CEO Nikesh Arora outlined several trends that his company expects to see in the coming months and years. He predicts that:
- Working from home is here to stay. This means that good cybersecurity policies will have to focus on securing both offices and employee homes to safeguard digital operations.
- More organizations will migrate to cloud-based systems to better support remote work. This shift means that legacy operating procedures will need to be updated.
- As work-from-home and using the cloud become more commonplace, many organizations will need to automate select portions of their business, such as logistics and billing. This automation will depend heavily on AI, which will further accelerate investment in this technology.
Unfortunately, the sudden pivot to remote work has brought with it many problems for organizations. There has been a noticeable uptick in digital breaches as more vulnerabilities are discovered, targeted, and exploited by malicious cyber actors. The jarring shift to remote work has shone a light on the benefits of VPNs. VPNs are a valuable tool, but they are only able to protect digital assets if they are updated regularly to take advantage of security patches as they are made available.
The confusion and disorientation of the pandemic have emboldened many malicious cyber actors, who have responded by targeting remote workers with their phishing scams. Organizations can help safeguard worker credentials, and the organization’s digital assets, by requiring multi-factor authentication (MFA) for remote access.
What Are Some General Best Practices My Organization Should Be Implementing?
There are steps you can take to safeguard your workers and your digital assets.
Technical Security Practices
Assess & Remediate Current State of Vulnerabilities
You should be conducting regular vulnerability scans so that your cybersecurity protocols can be updated accordingly. You should also ensure that your business software, endpoints, security devices, and VPN solutions are all kept up to date and incorporate the latest security patches.
Cloud-Based VPN
Cloud-based VPNs, such as Palo Alto Network’s Prisma Access SASE solution, are a cost-effective way to provide employees with a secure connection to your company’s cloud and data center-based applications and data wherever they are working. VPNs authenticate users and can ensure comprehensive, consistent security without the need to purchase hardware or increase IT complexity.
Prisma Access has been purposefully architected to be cloud-native in the truest sense of the phrase, leveraging infrastructures such as service (IaaS) providers like Amazon web services (AWS) and Google’s cloud platform to scale dynamically when the need is most critical.
Cloud Access Security Broker (CASB)
Using cloud SaaS solutions, especially during COVID, has enabled organizations to remain productive from the safety of their own homes. As such, securing cloud-based applications such as Salesforce.com, Office365, and Workday is even more important to extend on-premises security requirements to the Cloud. Cloud Access Security Brokers (CASB) allow organizations to apply security policies, monitor behavior, and manage risk across the entire set of enterprise cloud services and providers.
Palo Alto Network’s Prisma SaaS solution makes SaaS adoption safe by reducing the risk of data exposure, breaches, and non-compliance by offering advanced data protection and consistency across applications.
Consider Implementing Multi-Factor Authentication
Another step you can take to strengthen security for your remote workforce is multi-factor authentication (MFA).
Multi-factor authentication adds at least 2 layers of security to a user’s credentials. Often multi-factor is based on something you have, i.e., a smartphone or a security token, and something you know, usually a password or passphrase. Additional factors may include something you are, fingerprint, or somewhere you are, IP address location.
Certain MFA solutions can alert an administrator if there are several failed attempts to breach an account. A good MFA solution you may want to consider is Okta’s Adaptive Multi-Factor Authentication.
Select a Solid Email Security Solution
To further safeguard your email, make sure you are using email security software specifically designed to safeguard your organization. Choose programs that go beyond basic spam filters and secure your email across all 3 zones: along the perimeter, inside your organization and network, and beyond the perimeter. Securing your email in all 3 zones is vital to help you take a proactive approach to email security.
A good email security program will also do more than filter out blatant phishing attempts and other scams and be able to look for ransomware and other forms of malware. Look for solutions that offer real-time threat detection (such as Mimecast) and can be easily integrated into your existing infrastructure.
Security Awareness for a Remote Workforce
If employees aren’t able to recognize threats, they aren’t able to avoid, report, remove or otherwise address them.
Even the most robust security solutions and comprehensive security software is no substitute for employee training. After all, employees, not technology, are the most common points of entry for cybercriminals.
The 2019 State of IT Security Survey found that employee training and email security were the top problems faced by IT security professionals. However, a survey by Wombat Security Technologies found that more than 30% of employees polled didn’t even know what malware and phishing were. This knowledge gap is alarming and underscores the importance of regular, relevant, and comprehensive cybersecurity training.
Providing your employees with cybersecurity training accomplishes several things:
- It gives them the knowledge and skills they need to do their part to safeguard your organization’s digital assets.
- It helps keep cybersecurity best practices top of mind.
- It helps them to identify the latest phishing attempts, including those that seek to exploit the COVID pandemic.
- It helps ensure employees are aware of and comply with security policies.
As most workforces are currently remote, organizations are turning to Mimecast Ataata and Knowbe4 for content-rich web-based training that allows organizations to deliver video-on-demand testing and phishing campaigns.
What Types of Training Should My Organization Offer?
For most organizations, training should fall into 2 broad tiers: User awareness training and technical training.
All employees should be offered user awareness training to teach them why cybersecurity is important, why specific requirements and initiatives are in place, and who to report suspicious activities to. User awareness training allows every employee to do their part and turns them into extra eyes and ears for the security team.
The security team should receive technical training so that they have the tools and knowledge they need to go beyond recognizing potential threats to dealing with them effectively and proactively addressing any security vulnerabilities that could leave your network exposed.
To enhance your training, you should explore a variety of high-quality tools and resources to help make training both informative and engaging. Interactive modules, games, videos, posters, and regular newsletters can help your employees better engage with the content and help keep cybersecurity top of mind between formal training sessions.
Training Methods & Tips For User Awareness Training
In addition to traditional classroom settings with large groups, you may also want to consider other training methods.
Video-on-demand training is a great way to let employees work through the training material at their own pace, and webinars can allow employees to really engage with the content.
Once employees have begun to work through the training materials, you may want to consider using a targeted email or social media phishing campaign to see how well your employees remember their training and identify gaps before they can be exploited by cybercriminals.
Cybersecurity is everyone’s job. Even the most advanced cybersecurity strategy will fall short if employees don’t understand why cybersecurity is important, what they can do to safeguard your organization and its digital assets, and what to do if they encounter something suspicious. Periodic training that leverages a variety of learning methods can make learning both fun and engaging and allow employees to explore different learning styles and different ways of engaging with the material.
