When I’ve talked to cybersecurity awareness training vendors about changes brought on by the pandemic — and further changes brought on by its reduction and end — I've been surprised by how few changes they've discussed.
One change, though, has been talked about by many of the players in the market, and it's one that I didn't anticipate: There's been a change in who they've been asked to train.
As employees flowed out of offices and into work-from-home (WFH) situations, cybersecurity professionals quickly realized that home networks and everyone who used them were suddenly part of the corporate infrastructure. If little Johnny visits the wrong website or grandma clicks on a phishing email, the ramifications could not only harm the household but also the companies of those WFH users.
Different organizations tried different ways to keep the ongoing WFH security risk from becoming a massive security disaster, and many of those ways involved training the employees' family members to be more responsible, security-aware computer users.
For vendors providing cybersecurity awareness training, this new training tended to require teaching those who might not have had previous awareness training the basics of phishing behaviors, malicious links on websites, ransomware, and even mobile threats like smishing and vishing. Omdia's research on how these efforts have affected enterprise security is ongoing, but we have not seen massive increases in corporate security failures over the last two years, so they certainly couldn't have hurt.
What Are the Benefits of Cybersecurity Awareness Training?
Beyond the benign impact, there are important long-term benefits to cybersecurity awareness training that extend to employees' family members. The benefits fall, broadly, into short-term and long-term groups.
In the short term, it's unlikely that businesses are going to go back to the simple "everyone comes to the office everyday" model that existed three years ago. More employees will be doing more work at home, at least some of the time, so the home network must now be considered part of the enterprise infrastructure from a cybersecurity standpoint.
While some organizations are installing company-controlled home routers and firewalls on employee networks, those devices aren't magic bullets; there are plenty of cybersecurity threats they won't stop. The users who share physical (and network) space with the employee can have an impact on enterprise security, so those users should receive at least some cybersecurity awareness training.
Once trained, family members will not only be less likely to fall victim to cyberattacks, but they can also become valuable early warning sensors for malicious campaigns. In addition, family members might well become important behavior-reinforcing agents for good cybersecurity hygiene for the employee. Every parent knows that there's often nothing that a little child treasures more than the opportunity to point out poor behavior on the parent's part.
Over the long term, it is unquestionably true that no organization lives as a cybersecurity island. Each is part of a global community of email, messaging, and Internet users. Making the community safer overall makes the individual organization safer by association. As the cyber hygiene of the total community improves, the risk posture of the individual organization cannot help but improve.
In addition, the family members of today are the potential employees of tomorrow. Imagine how much more effective your cybersecurity awareness training could be if employees came to the table with a better baseline understanding of risks and responses.
It is true that there is no guideline or regulation that states a company's cybersecurity program must include teaching good cyber hygiene to employees' family members. However, in the shifting business understanding of 2022, teaching those family members about cybersecurity could be an investment that pays off for years to come.