We wrote a prior post about how remote work brings about changes that should shape your approach to security awareness training. At a high level, remote work changes:

1. the ways employees communicate;
2. the day to day support and oversight of employees; and
3. the interaction employees have with company networks and data.
   

In this post, we cover what topics should be covered when providing security awareness training to remote employees. As employees shift to remote, they need help to ensure they are secure and your networks are secure, regardless of where the actual work is performed.

Some of these topics are likely already a part of your security awareness training but others are not a part of most security awareness trainings.

Home network security

• Home networks are the new network perimeter for companies.
• Employees are now network administrators with control over security and network configurations.
  

While there are likely controls in place to ensure remote access to company systems and data, home network security best practices like not broadcasting SSID and network encryption should be implemented.

Public WiFi

• Public wireless networks are ubiquitous and often used for Internet access.
• Employees should restrict wifi access to known networks or, at the very least, prompt users to agree to connect to new networks.
  

When on public wifi networks, use caution and, if you can, limit going to websites where you need to provide credentials or sensitive information. A personal VPN is valuable when using public wifi.

Staying vigilant wherever you work

• Having a security mindset is harder at home or remote than when in the office.
• Social engineering attacks won’t stop when you work remotely.
  

One of the challenges of remote work is not knowing all the employees of your company. Don’t assume a message from an unknown sender claiming to be a co-worker is legitimate. Verify with your manager or another member of your team.

Social engineering targeting remote work topics

• New attacks focus on remote work topics like virtual meetings, remote work policies, and even Covid-related government benefits.
• An email that is relevant to where you work or how you work doesn’t mean it isn’t a social engineering attack.
  

Attackers are taking advantage of the shift to remote with attacks targeting topics that are top of mind for newly remote workers. This is a trend that will evolve as remote work evolves to capitalize on topics like hybrid work, in-person policies, and remote travel procedures.

Internet of Things (IoT)

• IoT devices (smart appliances, wearables, etc), both hardware and software components, can have vulnerabilities.
• IoT devices can be used to gain access to home networks and devices.
  

Often, we don’t think of appliances like TVs and refrigerators as computers but that is what they are when they are “smart” or “connected”. These devices should be treated like any other computer or phone in terms of security.

Over communicating when suspicious

• If you have a question about security or a message (email, chat, support ticket, etc,) you get, do not hesitate to ask your manager or security team about it.
  

With remote, more communication is always better. Be proactive if you have any questions or your gut tells you something feels off. Getting ahead of security incidents reduces risk.