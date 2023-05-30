According to The Hill, almost 30% of all work in January 2023 took place from employees' homes—six times as much as in 2019, based on data from WFH Research. In larger urban settings, this percentage can be as high as 50%. Entire office buildings are lying idle with some undergoing fire sales.

These settings challenge organizational security efforts, putting both organizations and employees at risk.

IT and security pros have responded quickly to these new norms but continue to struggle with applying the same level of corporate security to workers in far-flung settings.

That's where HR leaders can play an important role.

Expanded Security Risks When Working at Home

HR's influence and authority has evolved during the pandemic as the need for ensuring employee engagement and productivity became abundantly clear in hybrid and remote settings. That's true not just in terms of traditional HR touchpoints like onboarding and performance evaluations but for all types of employee engagement needs, including data and systems security.

Working from home expands the threat surface for companies and employees in several ways:

• More endpoints can represent expanded attack surfaces for bad actors.

• Reduced access (or perceived) to security resources.

• Potentially minimized security monitoring.

• Poor data practices—when "out of sight" employees may be less concerned about following security practices required at the office.

• More susceptibility to social engineering and phishing attacks. When employees work from home, they tend to let their guard down and may engage in riskier online behaviors.

These risks are more likely to be minimized when companies have established strong security cultures. That has, of course, been traditionally a challenge even when workers are onsite. In a continued remote and hybrid environment, it's even more of a challenge. But there are steps organizations can take to help protect data and minimize security risks and HR leaders can play a pivotal role in this process.

Steps to Build a Strong Security Culture

There are several things companies can do to help build a security culture that exists not only within the physical walls of the workplace, but that extends to employees in their home offices. For instance:

• Home network security is a foundational part of any company's security culture. This will involve a combination of basic security safeguards like setting up multifactor authentication, endpoint detection and response, password managers, VPNs, regularly required backups and ongoing security updates and patches.

Working with IT, HR can create checklists to ensure that employees follow security best practices with access to the support and resources they need.

• Security education. Employees are the last line of defense against cyber-attacks. Security awareness training needs to be ongoing—and engaging. Training should cover safe online browsing and identifying what social engineering and phishing scams look like, preferably using real-world examples. Offering modules that are easily digestible, available on demand, engaging and even entertaining can help connect with employees.

With so many work processes taking place online, security education can become part of virtually any training effort as an important prompt and reminder of security policies and procedures.

• Phishing tests. Phishing employees to test their awareness can be fun and impactful. It's one thing to tell employees about the type of risk they may face. It's quite another to expose them to those risks so they can see for themselves how easy it may be to fall prey to manipulative phishing scams. Making it a competitive game by running a scoreboard on spotted phishing attempts can be a great way to encourage group participation.

• Opening communications. A strong security culture is one where employees can ask questions related to the protection of data and systems—and where they feel free to share examples of missteps or errors in judgement they've made. An open and transparent environment can help make employees more likely to share and more likely to seek the information they need to protect themselves and the organization.

Data and system security isn't just the purview of IT, any more than employee relations "belongs" to HR. By serving as a communication conduit between IT, the C-suite, managers and employees, HR can play a leadership role in a supportive environment prompting friendly discussions on security-related issues.

• Regular check-ins. Employees working from home shouldn't be "out of sight, out of mind"—although, unfortunately, they often are. Regular check-ins can be a good way to ensure that they're following security best practices at home.

Some organizations are creating roles for remote-work liaisons, focused solely on fostering connections with remote workers. Whether or not this role exists in your organization, HR leaders can be instrumental in ensuring that managers are well-positioned to stay in close contact with employees—on-site and off.

• Employee assistance programs (EAP). When employees are distracted or harried, they're more likely to succumb to phishing scams, click malicious links or download malware-laden files. Providing an EAP can help support staff as needed in addressing stress and general mental health concerns.

It's important to remember that when it comes to building a security culture—whether on-site, remotely or in a hybrid manner—no company or employee is entirely free from risk. Establishing a security culture is a long-term affair requiring engagement, monthly testing, quarterly training and attention to myriad details that can help or hurt company data and system protection. That offers ample opportunity for HR leaders to step up to the plate to partner with IT and other colleagues in support of a strong security culture wherever employees may be located.