CIS Control 14.8: Train Workforce on Insecure Network Dangers
Your workforce is your biggest security vulnerability—especially when connecting over public WiFi and unsecured home networks. CIS Control 14.8 requires comprehensive training on network security risks to prevent data breaches at the edge. For SMBs managing remote teams, this control is non-negotiable compliance.
What this means
CIS Control 14.8 mandates that organizations train all workforce members to recognize and avoid the dangers of transmitting enterprise data over insecure networks. This includes public WiFi in cafes and airports, unencrypted personal networks, and improperly configured home infrastructure. For remote-first organizations, training must explicitly cover secure home network setup—encryption standards, router configuration, and device isolation—to prevent credential theft and man-in-the-middle attacks at the source.
How to comply
- 1.Develop security awareness training curriculum covering public WiFi risks, unencrypted connection dangers, and credential theft vectors
- 2.Create specific guidance for remote workers on home network security: WPA3 encryption, strong passwords, guest network isolation, and regular firmware updates
- 3.Deliver mandatory training to all employees with documented completion and comprehension checks
- 4.Include phishing-over-insecure-networks scenarios and credential compromise case studies in training materials
- 5.Establish annual refresher training with updated threat examples and emerging attack vectors
- 6.For remote workers, provide step-by-step home network configuration guides or pre-configured router recommendations
- 7.Track training attendance, completion dates, and assessment scores as evidence of compliance
Evidence auditors look for
- Training curriculum documents with learning objectives aligned to network security risks
- Signed training acknowledgment records from all employees with dates
- Home network security configuration guides tailored for remote workforce
- Training assessment scores or quiz results demonstrating comprehension
- Recorded live training sessions or video-based training modules with access logs
- Email communications distributing security advisories on insecure network dangers
- Annual refresher training schedules with attendance rosters
- Documentation of emerging threats covered in recent training updates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates training assignment and completion tracking for CIS 14.8, generates role-specific curriculum for remote vs. office workers, and maintains auditable records of acknowledgments and assessment scores—eliminating manual spreadsheet tracking.
See how GRCWatch handles this control automatically
Start free trial