Security professionals have long struggled with implementing effective cybersecurity training. Employees don’t like it—and, in fact, many of the training options are tedious or not interactive or frequent enough to ensure the message is getting through. Anecdotally, there are times when security managers have had to visit certain employees in person to threaten or bribe them into finishing mandatory training or coming to an in-person session. In the best of times, when everybody spent most of their time at their place of employment, conducting cybersecurity training was difficult.
But now, with everyone just trying to remember what day it is and attempting to find the one quiet space in the house for the daily Zoom department meeting, cybersecurity education is probably not a top priority. Cybersecurity from remote locations? Yes, all companies have to focus on that. But monthly phishing training? There are likely more pressing issues to worry about.
However, said Jack Koziol, CEO and founder of Infosec, continuing cybersecurity training and education while working at home couldn’t be more important right now.
“The bad guys are blanketing the world with coronavirus-themed phishing attempts and they are seeking vulnerabilities by hammering away at all these WFH systems now being used,” Koziol stated. “When we look at what all of us are up against, consider an industry with a 100% remote workforce, with new access to previously untapped markets. This industry seeks to profit off of fear, chaos and misinformation. Cybercrime will surely have a banner year in 2020.”
Cybersecurity Training Should Focus on Coronavirus
Sending a COVID-19 themed phish is a very hot topic these days. This has led to a debate among people who run training and awareness programs, said Lisa Plaggemier, chief strategy officer at MediaPro.
There are basically two lines of thinking. On the one hand, the bad guys are doing it, so we should too, taking the approach of sending gotcha phishing emails internally. Those who support this method argue that this is the only way that will people really learn.
On the other hand, people are stressed enough as is, so sending fake COVID phish is insensitive. Also, it might result in employees not reading critical legitimate COVID email, even from their own HR department or state/local health officials.
“I think there is a middle path and a good process to follow to do it right,” said Plaggemier. First, overcommunicate about COVID-19 phishing and scams in your awareness program. Show people examples of real COVID-19 phish, and remind them of the signs to look for.
“You may even want to tell them in advance that you’re going to start using COVID themes in your phishing program,” she advised. “Do all you can to raise awareness before you start phishing them.”
Also, consider other mock phishing templates that are timely but not specifically about COVID, such as food delivery, package delivery, restaurant coupons and the like. Those pack less of an emotional punch than a mock phish from the WHO or another health authority, but will still get the message across.
Why Training Is So Important Now
Remote work has put an exclamation point on the need for security training. Coronavirus-related attacks have just upped the ante. Many people have been thrust into a never-before-experienced remote work situation. There are the security basics that need to be learned. Some employees may be asked to use VPNs or apply authentication options they’ve never had to use inside the office. These employees may try to find workaround options, so they may need a primer on the threats of working remotely.
Starting Your WFH Security Training
Training from home has never been easier, which is the good news here.
“Previously, one would commonly travel to a one-week workshop to gain access to industry expertise,” noted Evan Dornbush, co-founder at Point3 Security. Even if you enjoyed learning via that approach, that’s impossible now with social distancing.
“Online learning ecosystems allow you and your fellow employees to engage from anywhere,” he added. “Advancement in virtualization technology allows one to not only watch videos but also to explore methodologies and apply tradecraft against live systems already set up and cloud-hosted for your enjoyment. You can compete and collaborate in expansive communities. The workforce development industry has already been trending in this direction. COVID-19 simply accelerated the timeline for the adoption of these market offerings.”
Organizations should also have a plan in place to monitor training by remote workers. “In my opinion, monitoring and reporting in real-time are key,” said Infosec’s Koziol. “Catch the errors quickly, coach for the mistakes and then steady re-testing. When they become phish-identifying rock stars, then you can move them on to more challenging training.”
A regular cadence of clear, simple education and tips can go a long way to provide effective security training. Education and empowering employees to recognize potential threats can make workers a powerful frontline defense against the bad guys.