How to maintain your cyber security awareness programme with a remote workforce

by Louise Czekaj Senior Associate, Security culture and awareness - Cyber Security, PwC United Kingdom


When it comes to influencing security behaviours for remote working and virtual meetings, office posters aren’t an option. Organisations need new and engaging ways to ensure employees keep data and systems safe while working from home.

You may already have a security awareness plan for 2020. But how do you encourage employees to display positive security behaviours when their working environment has changed so dramatically? And how do you make people aware of new cyber threats?

Here are four steps to consider:

1. Assess your existing policies and guidance for employees

Organisations need to define new standards and guidance for cyber behaviours. This begins with a gap analysis – find out from your security or IT team what new risks have been identified and look at whether existing policies can still be followed in the usual way. Do they need to be adapted to allow the business to function while still promoting security?

Rules that might need to change include those around BYOD (bring your own device), online conferencing tools, file transfer and ways of confirming legitimacy of emails. Perhaps you’ve had to relax rules in an effort to quickly get people working from home. If so, you may need to realign your policies to make sure they are still fit for purpose.

Some rules might remain the same and need reiterating, such as how to securely dispose of data at home, or the use of work devices for personal activities.

2. Revisit your security awareness plan for 2020

Which security behaviours did you originally plan to focus on this year? You need to consider whether you should reprioritise to focus on other behaviours associated with new risks. This could be an ongoing exercise as new security incidents are reported and new risks are identified.

It could be that the top behaviours you wish to promote remain the same. For example reporting incidents, not clicking on links in phishing emails, or classifying documents correctly.

In some cases, security behaviours may be the same even though the threat has evolved. For example, refraining from talking about confidential work in public places or on social media might be adapted to include insecure online channels, especially if you are aware of an increase in people organising 'work socials' using non-work applications.

There may, however, be some behaviours you wish to postpone focusing on until later in the year, such as escorting visitors to reception. That said, consideration still needs to be given to physical security, especially for employees in shared accommodation.

The key to a successful plan is to remain focused and relevant – employees are more likely to listen when the message is relevant to them right now.

3. Distribute dedicated awareness material

Work with your communications team to make employees aware of the positive security behaviours you want them to display while working remotely. It is important to share this using existing channels and not to bombard people with too many messages at the wrong time.

One source of the truth is important when employees might already be suffering from communications fatigue due to the number of messages they are receiving. More than ever, security teams may need to fight for attention. Keep your material clear and concise, and make sure it includes where to go for information, including who to contact for queries.

4. Set the tone from the top

It is important that senior leaders remain approachable and demonstrate positive security behaviours while working from home. They are role models; if they demonstrate poor security behaviour everyone will follow. You may consider creating some additional, targeted awareness material to convey this, for example a virtual face-to-face session with the leadership team highlighting new threats.

Ultimately, the aim is to continue to promote the right behaviours through your security awareness programme. You may just need to adapt it to be relevant.

For further information on our latest cyber security insight, please visit our homepage. If you would like to talk to us about security awareness, please get in touch.

by Louise Czekaj Senior Associate, Security culture and awareness - Cyber Security, PwC United Kingdom