Get Better Security Culture By Making It Personal
Updated: Mar 11, 2022
Traditional training approaches do a poor job improving employee behavior.
Cybersecurity has a negative impact on culture because it is not approached as a “team sport".
Training on personal security improves your organization’s overall security.
The separation between work life and personal life has permanently changed. Hybrid work is now normal for many organizations. Employees have always been soft targets, but it’s more important than ever to get employees to think about safe cybersecurity practices all the time, not just in the office.
Has your cybersecurity training adapted? Or, are you still training employees as though there is a hard separation between work and home? This article explores how blending personal cybersecurity makes your corporate cybersecurity even better.
“Corporate Security Training” Isn’t Enough Anymore
Cybersecurity training must extend beyond the confines of a traditional corporate setting for two reasons. First, it’s just not how business works anymore. We check email on our personal smartphones, have meetings at the kitchen table, and do our jobs where ever we happen to be. Second, our entire lives involve technology and risk. Employees that are safe in their personal life end up being safer at work.
If you can get people to have better personal security, your corporate security will improve. Good behavior happens through habit, and for most there’s no difference between work and home.
If you want employees to understand the importance of data, talk about corporate data and their 401K. If you want employees to understand the risks of phishing, talk about BEC and personal identity loss.
Some organizations will balk at this. They see it as a potential liability risk to advise employees on personal matters. That’s understandable, and we aren’t suggesting you overreach.
Instead, your training should include both corporate-specific training and general good security practices. You can do this two ways:
Cybersecurity staff can talk about what they personally do. Don’t preach or dictate, just talk about what you do personally. We’ve seen lunch-and-learns and “fireside chats” work very well.
You can hire a professional consultant, like Security Pursuit, to train employees on good security practices at work and at home. This puts in a buffer while introducing good concepts for general security practices regardless of where an employee works.
Great Topics That Merge Personal and Corporate Security
Below are some of the areas we emphasize.
Passwords are the easiest place to start. Good password practices are for the most part free. The accepted standard for password length is now 12-characters, but many professionals suggest 16-characters…25 for administrators. We know that’s a lot, but it’s just math. Old 8 character passwords can be cracked in seconds, whether on a company laptop or home PC.
Passwords need to change frequently, and that’s easy to manage in a corporate setting. Yet employees often pushback if the timeframe is short. Make the context a general best practice for work and home. Like changing the batteries in your smoke alarms, changing passwords on personal accounts is important for long term safety.
Furthermore, reusing the same password on different apps is very risky due to credential stuffing. Yet 50% of people reuse the same password across critical applications at home and work. If distinct 16-character passwords is the requirement, encouraging the use of a password manager is now a best practice.
Yes, that password can be guessed, too, so make it hard with Multi Factor Authentication…
Multi Factor Authentication (MFA)
Setting up multi factor authentication prevents many cyber attacks targeting unauthorized access to websites and other cloud-based resources.. It also provides real-time notification if a malicious actor gains access to your account credentials and logs in--an often missed secondary benefit. But a common problem is that employees aren’t used to it. Wary businesses don’t want to impact user productivity or increase frustration, so they don’t enforce MFA for many employees.
It’s worth talking about MFA on personal services and applications. There’s a reason personal services such as bank and investment accounts, PayPal and Amazon allow individuals to use MFA. Including this in your training helps employees tie their personal risk to corporate risk. Getting used to setting up MFA and logging in with it demonstrates to employees that it doesn’t take long and it’s a simple process.
Phishing & Safe Communication
Email phishing is the #1 technique used to penetrate an organization’s defenses. You are likely doing phishing simulations in your corporate environment. You send relevant phishing email with links and/or attachments as a way to measure behavior.
But, when you do training, show some of the many screenshots that target individuals, too. This emphasizes the need to be safe with all phishing attempts, whether at work or at home. Include smishing and vishing examples. Show nefarious communication on LinkedIn and Facebook at the same time. The association is intuitive.
Like looking through the peephole before opening your front door, everyone needs a habit of caution and suspicion with all communications both at home and the office.
Be Careful About Revealing Personal Information
Many types of social engineering attacks attempt to lure people into revealing information that they shouldn’t reveal. People who are in the habit of revealing personal information to companies without question are more likely to fall for these types of scams at the office.
Encourage employees to become familiar with the kind of information that different companies will ask for and the ways in which they ask for that information. For example, the IRS will only communicate through mail. How do banks (personal or business) communicate?
Banks typically never ask people to click a link and enter login details or transact via email or text, but if someone doesn’t know that, they won’t be careful about it at home or in the office. Instead of instinctively giving information when requested (which is a very human response), the ideal attitude is one of skepticism. You want employees to shift the thinking behind revealing information from automatic to conscious and logical.
Practice Safe Public Wi-Fi Use
Safe use of Wi-Fi has increased in importance as BYOD policies have grown in popularity and working remotely became the norm. There’s a high probability that employees will connect to unsecured public Wi-FI networks. The question is whether they practice good security hygiene while connected.
Free hacking tools make it very easy to hijack sessions and steal credentials on unsecured networks. Some practices to encourage include not accessing personal financial information (e.g. banking accounts) on these networks, and verifying with a member of staff what the genuine Wi-Fi hotspot name is for that location.
Update Operating Systems and Apps
Out-of-date applications and operating systems pose serious security hazards to businesses and individuals. While this is a normal function for security teams in corporate settings, it is something we should all do on personal devices.
This can be discussed during training under the heading, “what does the security team do to keep our organization safe?” Start with the bigger discussion of enterprise systems and work back to devices. An obvious transition is to personal devices.
Many companies are moving to Zero-Trust. The core principles according to NIST (800-207) are continuous verification, limit the surface, and working within a context. It will be a challenge for most companies both technically and culturally.
Limiting and controlling access points is a more advanced concept for home systems. But, increasingly, people segment their home routers to isolate IoT devices (TVs, cameras, etc.) and guest network access. Is your Alexa really listening to everything you say? And, of course, it’s a bad idea to let the handy man on your open wifi. How do you know his phone or tablet aren’t compromised?
Tying this into Zero-Trust is logical and easy. It will make your training and security initiatives more relevant.
At Security Pursuit, when we provide security training to businesses we like to tie in personal cybersecurity. We believe that strong corporate security starts with employees ingraining personal security habits and behaviors into their daily routines no matter whether they’re at home, in a cafe, or at the office.
Your employees are your first line of defense. Helping them to understand the value of cyber-safety at home and work supports your cybersecurity efforts at every level.