Cybersecurity Takes Center Stage in Risk Management

With the migration to remote and hybrid work during the last year, cyberattacks have increased at a rate of three to five times compared to pre-Covid. No big surprise that, for many businesses, virtual private newtworks (VPNs) have become standard operating procedure for security. But is VPN’s castle-and-moat concept an effective security strategy in today’s hybrid workplace?

The ubiquity of the decentralized workforce is now evident—we may never revert to the pre-Covid leviathan offices. Even before 2020 brought the world to a standstill, the office environment was fast becoming less centralized with the rise of software as a service (SaaS) applications for businesses.

Many companies are claiming an increase in productivity with their work-from-home (WFH) employees. And there must be a savings in operating costs associated with office closures. However, there is a downside.

The risks associated with such decentralization are greater than ever before. Unencrypted networks, unlisted websites, and slow speeds are part of the problem as well as unauthorized users who continue to access confidential corporate data. In fact, global losses from cybercrime now total more than $1 trillion. In addition, the rise in ransomware and malware attacks targeted at unprotected corporate networks in recent years has also proved to be a significant threat to today’s distributed workforces.

The notable shift toward cloud-based environments has prompted businesses to migrate their network complexities to a central space—one that widens previously restricted perimeters and accommodates distributed endpoints on the network. As such, the safety of company data is just as important as protecting the company network.

VPNs and cybersecurity

Traditional VPN security has been based on the castle-and-moat concept. It isn’t easy to gain entry from outside the network, but everyone already inside the perimeter is deemed trustworthy for full access.

“The problem with this approach is that once an attacker gains access to the network, they have free reign over everything inside,” explains Juta Gurinaviciute, chief technology officer at NordVPN Teams. “Due to the aggressiveness of hackers, business owners now require more advanced solutions to manage their access permissions on the company network.”

VPNs based on castle-and-moat security are just not suited to the WFH and hybrid workforce that is today’s reality.

“Suppose you’re in a leadership position in your company,” says Gurinaviciute. “In that case, you want your employees (whether permanent, contracted, or freelance) to be able to access the applications and resources they need to do their job. At the same time, you’re probably conscious of how far their reach within your network should be. If everybody has access to your most valued assets, by default, you are compromising their safety with such frivolous freedoms.”

Enhanced VPNs

Some VPN solutions are now being built with a more “zero trust” principle in mind, one that is closer to “deny all, permit some.” In other words, not every user should be trusted with unfettered access to all areas of the VPN. These more judicious solutions make it easier and safer to provide employees with the exact resources and applications they need. At the same time, they ensure that employees don’t access data or assets that are confidential to the company.

Paired with authentication methods such as two-factor authentication, and ensuring everyone follows security best practices for business, this solution can vastly reduce the potential for damage from a data breach—or possibly prevent a breach from even occurring.

Although VPN technology still has its place in a robust security setup, secure network access is central to the gold-standard, zero-trust network access (ZTNA) model to which modern businesses should be aligning themselves.

Cybersecurity training: How to engage learners

According to recent survey by TalentLMS and Kenna Security, 61 percent of employees who took cybersecurity training failed a basic test. This suggests the possibility that more than half of your company’s team members could inadvertently expose your organization to security risks.

So how can you ensure your cybersecurity training actually does what it’s supposed to? By understanding how to keep learners hooked, and understanding why cybersecurity training turns employees off in the first place.

Three of the reasons that cybersecurity training turns employees off include:
• The training language is too technical
• Employees believe they already know enough
• Employees don’t see how it relates to their job

Tactics to engage your trainees, then, might include:
• Being critical of the course quality
• Using real-life examples
• Avoiding technical, confusing language
• Adding gamification elements like quizzes, scoreboards, and interactive features that use social and informal training to engage workers
• Making sure employers cover all learning styles, including audio, visual, and hands-on training opportunities

According to Victor Kritakis, chief information security officer at Epignosis, training should be hands-on.

“Cybersecurity is a practical skill, so there is no point wasting time in theory and definitions,” explains Kritakis. “Avoid theoretical courses, which are boring and usually result in low engagement. Training should be full of real-life cases and hands-on exercises. For example, instead of explaining what phishing is, show your learners real phishing emails and help them identify them.”

Kritakis also warns against overly technical and confusing language.

“Language that is clear and concise makes it easier for employees to digest complex information,” he says. “Even when your training covers technical issues or data security regulations, focus on the essence of your message using everyday language and practical information.”

After simplified language, there are additional ways to break down complex information.

“When it comes to cybersecurity training, micro-learning can be very effective in helping employees retain and even enjoy learning,” notes Kritakis. “In fact, a recent TalentLMS survey showed that for 38 percent of employees, one way to make cybersecurity training more enjoyable is to break courses down into smaller, more digestible units.”

Including elements of gamification can also be effective.

“Learners are more likely to stay engaged throughout the entire course if there are fun and game-like elements involved,” says Kritakis, “whether it’s quizzes, scoreboards, or interactive features.”

It’s important to recognize that people learn in a variety of ways. While some employees are most receptive to visual learning, others learn best by doing. By offering animated, voice-over videos with captions, along with more practical, hands-on tasks during training videos, you can ensure you’re catering to all types of learners. You could also be avoiding a catastrophic security breech in the making.

About The Author