Security awareness training is becoming a standard requirement of most companies in today’s world. In most regulated industries there is a requirements or guidance that a company should be training the employees in security matters. Generally a security awareness program covers the basic security topics and practices, they touch on industry specific areas for a company and overall they are higher level briefs as they are tailored for all employees not just those with technical backgrounds. As the world changes and the lines between the corporate worlds and personal worlds become more blurred, security awareness programs are not adjusting properly.
If you look at your company’s security awareness training you take annually look closer at the content. Chances are they topics are focused on the company’s interests and it misses the point of true ‘security awareness’. The intent of security awareness programs is not to tell the employees of security policies of what or what not to do but to increase the awareness of security. Why are companies not taking a more assertive effort to educate employees on home security as well?
Bring your own device (BYOD) is becoming a common offering in most companies and there should be a contract or agreement between the employee and company for using a personal device. This agreement is either a contract type document or online training with both having an acknowledgement of understanding at the end. However, it’s uncommon for companies to go above and beyond to ensure the employee’s home network is secured as well. The BYOD is the perfect example where a company does have a legitimate, vested interest in how secure the employee outside the walls.
In a prior life, over ten years ago, a company I worked for would not allow for Work At Home approval until the employee proved the company laptop was connected to home network with a firewall enabled router. That was a rarity because I have not seen that level of home review since.
Information security extends beyond the cubicles and offices. Any company that assumes their internal security focus is enough while ignoring what BYOD and work from home employees are connecting to outside those walls is irresponsible and naive. Security awareness training needs to extend beyond your walls. Help the employees be more aware of security in general because, from personal security awareness program development experience, when the employees are made aware of security risks in their home, they will look to you for help. In turn the ‘security awareness’ has greatly increased and the program succeeded.
Here are some topics and simple things a company can do to help employees be security aware everywhere:
- Build a At-Home security checklist
- Change your WiFi password from the default
- Advanced lockdown tips like disable WPS, don’t broadcast the SSID, rename the network
- Home PC lockdown, passwords, backups, updates
- Encourage employees to use Password Vaults (Lastpass for example)
- AntiVirus and Malware tools lists, paid and free.
- On your security Wiki/Webpage (create one if you don’t have one), offer links to the major home wifi router produce pages.
- Write a simple password best practice guide for at home/personal accounts, the company has enforced password policies, users at home do not
- Write a tutorial on how to use a malware cleaner
- If employees don’t have their own routers or using the ISP’s equipment, offer to sell older office equipment that are replaced.
Most of those things we as security experts take for granted but for the majority of the employees in the company it’s Greek to them. They have no clue. When company IT equipment hooks into those home environments there is zero confidence in it’s security, infection level, etc… that can cause the company major headaches, greater risk or data loss.
Security awareness should be extended from the centric, selfish view from the company walls only. When users are informed about security at work they see it as another checklist and do the minimum to ‘pass’ any training. The content is forgettable, it’s not applied as deep as you’d like and you aren’t being more secure as intended. However when people are associated to company security risks back to their own equipment, devices they own and their kids, the risks of getting breached are just as high as home as it is in the office then they listen. The tools and tips you give them they have the control to put in place and in turn they get a better understanding and awareness of security issues the company preaches. Then you have an ‘Ah-Ha!’ moment and things will click.
Overtime your analysis and incident reporting team will grow to hundreds or thousands when the employees know what to look for… because they did it at home from your wisdom.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.