Jim Guckin

I have rarely seen any Cyber Security Awareness Training at any company, explaining how I can take care of my assets, how I can avoid falling for scams or other things to help my browsing online. Now for me, that’s not a problem, I’ve been in IT and Information Security my whole life, and I’m cautious when I’m online at home or work, but I want to talk about why I would like that to change. Why training employees to be more suspicious online, can and will help them to be better at work.

To start this, imagine a fortress with high walls, a drawbridge, and watchtowers manned by vigilant guards. This fortress represents your workplace, fortified with layers of security to keep threats at bay. But what if the guards, after a long day of vigilance, go home and leave their doors unlocked, windows open, and valuables in plain sight? It wouldn’t take long for that lax attitude to seep back into the fortress, potentially compromising the entire structure.

This clumsy metaphor captures the essence of why it’s so vital to encourage and foster strong cybersecurity awareness among your users not just within the walls (physical or metaphorical) of your organization but also in their personal lives. After all, in today’s interconnected world, the links between work and home have blurred. Laptops travel back and forth, mobile devices are shared, passwords are reused and personal habits inevitably bleed into professional behavior.

The Home-Work Security Connection

At first glance, it might seem like what employees do at home—how they handle their personal devices, emails, and online activities—shouldn’t concern your organization. But consider this: The habits your users develop in their personal lives can directly influence their actions at work. If someone regularly falls for phishing scams at home or uses weak passwords for their accounts, I bet they’re more likely to bring those risky behaviors into the workplace, no matter how many times they sit through the training.

With the rise of remote work, for some, the home has become an extension of the office. Employees access sensitive company information from their home networks, and personal devices are often used for work tasks. No matter what your security policy says, unless you have controls to stop this…it happens. This shift makes it essential for users to maintain strong cybersecurity practices at home, as any vulnerability there can become an entry point for attackers into your corporate environment.

Why Users’ Home Cyber Security Awareness Matters

1. The Blurred Line Between Home and Work: The modern work environment is a blend of home and office, rather you do remote work or not. Personal devices are often used for work purposes, and work devices for personal tasks. If users are not secure at home, they can unintentionally expose corporate data to cyber threats. Most corporate devices have some controls built in (if not get on that now) that limit access, so (hopefully) users can’t download and run malicious code by accident. Yet, home computers, that may access your data, don’t have those same controls, updates, or filters in place.
   
2. Human Behavior is Consistent: We are creatures of habit. The security practices that we follow (or neglect) at home are likely to be mirrored at work. If they’re lax about updating their software, creating strong passwords, or scrutinizing suspicious emails in their personal life, those same poor habits will manifest in their professional life. I have yet to meet a person who in the office was suspicious of every email, made sure their systems were updated promptly or cautious of web links, and was lax at home (or vice versa).
   
3. Remote Work is Here to Stay: While the pandemic has accelerated the trend towards remote work in one capacity or another, it’s clear that this model is here to stay unless you’re cool with talented staff leaving. Even as some employees return to the office, many will continue to work from home, at least part-time. This means that the old thought of a solid security perimeter of the organization is gone and is now expanded to include users’ home networks and devices. Yet, we don’t control this expanded perimeter. If these environments are not secure, they present a weak link that attackers can exploit.
   
4. Sophisticated Threats Targeting Personal Lives: Cybercriminals are increasingly targeting individuals, knowing that a successful attack on a personal account can provide a gateway to corporate data. Spear phishing, social engineering, and even direct attacks on home networks are becoming more common. By raising users’ awareness of these threats in their personal lives, you reduce the likelihood of these tactics being successful against your organization.
   
5. The Impact of a Breach: A security breach at home can have devastating consequences for the individual, but it can also ripple out to affect the workplace. Imagine an employee’s email being hacked and used to reset passwords on work-related accounts. Or consider the implications of ransomware spreading from a personal device to a work network. These scenarios highlight why users must be vigilant in both spheres.

How to Improve Users’ Cyber Security Awareness at Home

Now if you got this far, I hope that you are asking yourself; “So, how can organizations help their users develop better cybersecurity habits at home?” While not every way you can, here are some practical strategies:

1. Education and Training: Regularly provide training sessions and hold open discussions that cover the latest cybersecurity threats and best practices. Make sure these sessions are relevant to both work and home scenarios. For example, teach users how to recognize phishing emails, not just in their work inboxes but also in their accounts. Use real-world examples to drive the point home. Also, the key here…make them interesting…training can be boring, and it if is, no amount will help.
   
2. Promote Good Security Hygiene: Encourage users to follow good security practices at home, such as using strong, unique passwords for each account, enabling two-factor authentication, and keeping software up to date. Provide them with resources, like password managers or guides on securing their home Wi-Fi networks.
   
3. Encourage a Security-Conscious Culture: Create a culture where cybersecurity is seen as everyone’s responsibility. Encourage open communication about security concerns, both at work and at home. When employees see that the organization values security, they’re more likely to adopt those values in their personal lives as well.
   
4. Simulate Attacks and Test Responses: Conduct phishing simulations and other security drills that include personal email accounts or devices, with employees’ permission. This approach not only tests their readiness but also highlights the importance of maintaining vigilance outside of work. A key takeaway here, is not to play
   
5. Support and Resources: Make it easy for users to get help with cybersecurity issues at home. Whether through a dedicated support line, an internal forum, or regular newsletters with tips, providing ongoing support can make a big difference. Additionally, consider creating a repository of resources—such as guides on securing smart home devices or avoiding scams—that employees can refer to as needed.
   
6. Incentivize Security Awareness: Gamify cybersecurity education by offering rewards or recognition for employees who consistently demonstrate good security practices. This could be as simple as recognizing individuals who complete all training modules or more elaborate, like holding contests for the best-secured home office setup.

Simply put when employees build strong security habits at home, they’re less likely to fall for scams or malware that could endanger your organization, reducing the risk and cost of breaches. This home-grown vigilance also fosters a culture of security at work, leading to better compliance and a more robust organization. Plus, by showing you care about their security, you strengthen the bond between employer and employee, boosting morale. As cyber threats evolve, a security-conscious workforce, both at home and at work, ensures your organization stays one step ahead of attackers.