Around the world, many organizations have instructed employees to work from home, and as we’ve seen from extensive threat intelligence, the current situation presents new risks to your people as cybercriminals become opportunistic. There are some important ways to help your people stay secure during this time.
This situation has generated a lot of fear worldwide, and because of this our general recommendation for your security awareness program is to relax phishing simulation exercises and focus on communication, awareness, and training activities.
Complimentary Security Awareness Resources for Employees
We are offering two complimentary packages to help build awareness and train your employees:
- Utilize our free phishing awareness kit to help protect against the #1 threat vector
- Download our work from home awareness kit which includes free access to our Security Beyond the Office training module until July 1, 2020 as well as user-focused communication and awareness content on WiFi, VPNs, safeguarding data, and more
Communication is More Important When Working Environments Change
We recommend an aggressive communication plan for security awareness. Without an office, the lines between home and work blur together and users may be inclined to risky behavior. This can increase the chance that cyber criminals will be more effective at leveraging fear to induce unsafe actions, such as clicking on unsafe attachments or links.
Even if you don’t have a security awareness training solution in place, you can help your people and your security posture by drafting a few emails for users about best practices and advice, creating an internal wiki page of resources, and providing users with relevant awareness & training content.
We also recommend setting expectations with users. For instance, you can:
- Coordinate with executive staff and human resources on how corporate communications will be sent
- Provide guidance to users about communications from your organization (No attachments, only link to internal wiki, etc.)
Here’s a sample email to send to your users:
--
Subject Line: How We Will Send Corporate Communications
Hi Everyone,
{Your Company} wants to keep you updated on how to operate securely. There has been an increase of attacks disguised as messages from internal departments that could cause harm to you or our organization.
Here are some things to keep in mind about messages from us and others:
- {Your Company} will never include an attachment in a corporate communication {Your Company} will always link to our internal wiki for corporate communications here: {Insert wiki link here}
- {Your Company} will always send updates about ____________ from this email: {Insert company email here}
- If you receive a message from a third party about __________ such as updates or any other information please do not click the link or download the attachment and instead report it if suspicious using {PhishAlarm or Insert abuse mailbox here}
- If you receive information about _________ from a trusted party please verify through another channel or contact before engaging. Cyber criminals can “spoof” email addresses to make it appear that messages are from a trusted sender.
Please let us know if you have any questions.
--
Communication on WiFi and VPNs
Most Infosec professionals would think every user password protects their home Wi-Fi – as home networks are not a new concept. But the reality is much different. In our 2020 State of the Phish we asked thousands of working adults from around the world about their home Wi-Fi hygiene and found:
- Only 49% of users password-protect their network
- 31% have changed the default password on their Wi-Fi router
- 19% have checked and/or updated their Wi-Fi router’s firmware
Additionally, we found user knowledge and usage of Virtual Private Networks (VPNs) was low. A significant portion of users don’t know what a VPN is or may not feel the need to use one, as shown below:
With this reality, it may be worth sending a communication to your users to set their expectations, reeducate them on the risks, and provide guidance on how to utilize tools like your corporate VPN. If your VPN is struggling to keep pace, we’re offering Proofpoint customers a complimentary zero-trust solution by offering Proofpoint Meta for free until September 20, 2020.
Communication on Safeguarding Data at Home
User awareness of how to store and share private corporate data isn’t as high as it needs to be. According to our 2020 State of the Phish, almost half of users allow their friends and family to do activities like check/respond to email, shop online, stream media, and play games on employer-issued devices.
And our friends at ObserveIT, an Insider Threat Management platform, found that almost two thirds of insider-related breaches are careless, not malicious. Examples of careless incidents they found included sharing data on unsanctioned cloud networks, using public Wi-Fi, and sending sensitive data via personal email.
Just like Wi-Fi and VPN habits, it may be worth reminding employees what their data handling expectations are and what corporate resources are available now that they’re working from home.
When events like the current global health situation occur it’s important to adapt your security awareness program and communications to suit. Because of this over the coming weeks we will be providing blog posts, webinars, a mini-series of podcasts, and more on guidance for running an effective and engaging security awareness program, regardless of the environment or scenario you encounter as an organization. Join us for a panel presentation on Benchmarks and KPIs You Need to Know for Security Awareness Training on Wednesday, May 6 where we’ll talk about how to thrive in today’s changing security awareness landscape.