The changes imposed by the COVID-19 pandemic are being felt across all industries and have had a major impact on workplaces as well. While just 7.7 million people worked from a home office in 2019, this number soared to 18.8 million during the pandemic in 2020. However, the greater flexibility afforded to employees is also responsible for the mounting losses companies incur. According to a recent study by the German Economic Institute, roughly EUR 31 billion – that’s one-quarter of the increase in losses incurred during 2020 – can be attributed to WFH arrangements. The reasons? Insufficient employee training as well as a lack of company computers. And the result is that hackers are targeting employees. A systematic IT security strategy is required to prevent this from happening. It starts with the employees because their awareness and knowledge of security are vital to the company’s cybersecurity. Security expert Nevis offers 10 tips on how you can optimise your employees’ awareness of IT security. Multi-factor authentication (MFA) and identity and access management (IAM) are just some of the measures that stop hacker attacks efficiently.
The start of the first lockdown in response to the COVID-19 pandemic saw the working world of entire industries in many places transferred within the four walls of employees’ homes. Working from home (WFH) was the name of the game, ushering in a new normal for companies and employees alike. Kitchen tables were spontaneously converted into desks, and personal computers were harnessed for work purposes. After all, very few employers could provide the necessary infrastructure at the drop of a hat.
Hackers profited from the home-office boom
This is where the problems began. As many companies sent increasing numbers of their staff to work from home during the pandemic, the number of cyberattacks increased. The critical factor here was the greater number of weak points in the company’s own IT security systems. A recent study by the German Economic Institute confirms this: one-quarter of the total increase in losses due to cyberattacks in 2020 compared to the previous year can be attributed to people working from home, amounting to an estimated EUR 31 billion. The lack of company laptops, training, and outdated security concepts were particularly detrimental. Consequently, internal company data was stolen by hackers and used for extortion purposes on many occasions. All these points to a need for greater awareness among all employees for cybersecurity in the home office combined with comprehensive IT security for private environments.
Optimising security awareness with IAM and MFA
Replacing reaction with prevention – this is the goal of an optimum company security strategy in order to instantly raise the awareness of staff and minimise hackers’ ability to mount attacks. It stands to reason that employees who are fully informed about all IT security risks and better able to identify hazards in their everyday work by themselves are more likely to take steps to counter them, which contributes to the company’s long-term success. Remember: the more closely this information relates to the employees’ personal environments, the more likely they are to engage with the topic and practice good security behaviour. These 10 tips will turn your employees into IT security pros in no time.
- Build trust by communicating clearly
Open and clear communication helps ensure that employees know precisely whom they can turn to in the company if something unusual happens and how they can verify business-related activities. This strategy breaks down feelings of insecurity, and strengthens trust while at the same time discouraging people from keeping quiet about possible threats.
- Provide awareness training from day one
Awareness training should be high on the list of onboarding priorities for all new members of staff. This ensures that cybersecurity is incorporated as a fundamental part of their new routines. It also gives the employees the knowledge they need to deal with passwords and other sensitive details from day one. So they internalise habits effectively and see the IT training courses that are offered throughout the employment relationship as a matter of course and something to be grateful for.
- Choose the right passwords: unique and random
Cybersecurity begins with the password. Combinations of numerals or the name of a pet dog might be easy to remember, but they are first and foremost insecure and discoverable by hackers within seconds. So it’s important to instruct employees to choose a unique and random password for every account. The golden rule: 12 to 16 characters including special characters are ideal.
- Use IAM to grant access clearance on a need-to-know basis
With systematic identity and access management (IAM), companies can handle the identity management of internal users flexibly and continuously adapt to new conditions. This gives every employee personalised access to only those resources that they actually need for their work. In other words, access clearance is granted on a need-to-know basis.
- Stay up to date
The people responsible for security in companies should keep abreast of cybersecurity news and insights. In their capacity as experts, they must also share this information with the workforce. After all, the latest hacking methods, scams and viruses can only be identified and repelled if employees have the same level of knowledge as IT security professionals.
- Watch out for fishy-looking emails from the boardroom
Suspicious e-mails containing special offers or apparently familiar subject lines are just one of the tricks employed by hackers. Train employees to check emails before opening them and only to open attachments during the next step. And that applies even if the email comes from the boardroom.
- Secure authorisation with a fingerprint
Use multi-factor authentication (MFA). It provides an extra layer of security by combining 2FA with the biometrics of your employees. This requires one of the four factors – ownership, knowledge, location or biometric characteristics – which can identify an employee beyond doubt.
- Gamify security (play your way to success)
It’s all about gamification, i.e. making employee training more enjoyable by adding game elements. In practice, it means combining gaming components such as competitions and animations with theoretical aspects of the company's security strategy. The aim is to present dry subject matter using real-life scenarios and create a more relaxed learning atmosphere. Employees tend to engage better while sharpening their awareness of security practices.
- Simulate a hacker
Put your security concept to the test by simulating an emergency. In this scenario, external security specialists simulate a hacker attack that specifically targets the company's workflows and must be solved by the employees. This test processes across all hierarchies to improve learning and give employees concrete opportunities to improve in practice.
- Reward conscientiousness
Companies can reward exemplary conduct and a security-conscious approach to internal company data. Rewards can take various forms, ranging from a badge or points on a chart all the way to a fun security competition involving employees from the entire company. Reaching previously defined milestones increases the chances of winning prizes such as gift vouchers. This type of recognition motivates employees to adhere to IT security policies and helps build a secure work environment.