Cybersecurity in the WFH Era: How to Help Your Users “GET IT”

Security training sessions help but tend to be episodic and hard for employees to fully absorb and remember. It may be useful instead to think about security awareness as a new language that users can learn. Like any language, they start with a few basic words, phrases and concepts, then their vocabulary and understanding grows over time.
Your remote and WFH users may never become “fluent” in cybersecurity. But you can help them “GET IT” by sharing the IT essentials below:

• OWN IT: Provide or permit users to expense network devices from a list of preferred brands and models. This enables you to standardize procedures for remote configuration or instructions for user self-installation that cover basic things like changing the factory-default settings, disabling public wifi access, etc.
   
• LOCK IT: This includes both digital and physical security by requiring user sign-ons at system start-up or wake-up, and storing work devices in a locked or otherwise secure location.
   
• AVOID IT: Tell users to think of public and shared wifi connections like they do STDs – something to avoid and protect themselves from. Require a VPN if users must use public or unsecured wifi.
   
• SUSPECT IT: IT admins do what they can to block spam and phishing messages. Users also need to do their part. Even encouraging small steps like clicking or tapping on the name of the email sender in the message header to spot imposters, or blocking or filtering messages from unknown numbers can help raise awareness. The same goes for bogus social media surveys meant to extract personal information or answers to security questions. Finally, tell users to “look for the lock” or the small padlock icon in the browser address bar to ensure they are connected to a secured website. When in doubt, don’t click it and ask IT.
   
• REPORT IT: Tell users to always inform IT of any suspicious system events, emails or messages. A message or event may be fine or it may be a sign that a hacker is probing for security gaps or launching a larger cyberattack.
   
• SEPARATE IT: Require personal and business devices to be used separately and on different network connections whenever possible. IT staff can set up devices to make that easy. It’s good for security, keeps users’ private data and activities private, and eliminates the possibility of accidentally exposing private data to IT staff.
   
• STRENGTHEN IT: Make it easy to follow IT password policies by using password managers. If it’s easy for users to remember their passwords it’s easy for hackers to crack them. Password managers remove the hassle of trying to think up strong passwords, can autofill webforms, keep them encrypted (and not on a sticky note on the PC), and prevent password reuse on multiple sites.
   
• CONNECT IT: Your VPN is your friend. Set it to launch or connect on system start-up. It’ll give users a reliably secure and encrypted connection, prevent service providers from logging internet activity, and keep hackers from tapping into connections.
   
• FORGET IT: Use the private browsing mode in web browsers to erase browsing and download histories, tracking cookies, and other digital artifacts stored on the device that can compromise security and privacy. Encourage users to combine private browsing and a VPN together for better protection. 

Like learning any new language, increasing security awareness takes time and continuous reinforcement. But helping your users “GET IT” by giving them the essential tools and understanding needed to stay safe and productive online will benefit them, your IT staff, and your organization.