Safeguard 14.8: Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Safeguard 14.8 requires you to train your workforce to recognize and avoid sending or accessing enterprise data over insecure networks (for example, open public Wi‑Fi) and to follow approved secure alternatives. Operationalize it by defining “insecure network” and “enterprise data,” delivering role-relevant training, and retaining completion and effectiveness evidence. (CIS Controls v8; CIS Controls Navigator v8)

Key takeaways:

• Define the rule in operational terms: what counts as insecure networks, what data is protected, and what “approved” connectivity looks like.
• Make training behavior-based (what to do) and tie it to enforced technical controls (VPN, secure remote access, DLP prompts).
• Build audit-ready evidence: content, audience targeting, delivery logs, attestations, exceptions, and follow-up actions.

The fastest way to fail safeguard 14.8 is to treat it as generic “security awareness.” This requirement is narrower: it focuses on the specific risk of connecting to insecure networks and transmitting enterprise data over them. That means your program has to be explicit about which networks are risky, which data is in scope, and what the workforce must do instead. (CIS Controls v8; CIS Controls Navigator v8)

For a Compliance Officer, CCO, or GRC lead, the work breaks into three tracks you can run in parallel: (1) policy and definitions that employees can actually apply in the moment, (2) training and communications that match real workflows (travel, hybrid work, field service, call centers, third parties), and (3) evidence capture that proves the training ran, who took it, what it covered, and how you addressed noncompliance. (CIS Controls v8; CIS Controls Navigator v8)

This page gives requirement-level implementation guidance for the target keyword: safeguard 14.8: train workforce on the dangers of connecting to and transmitting enterprise data over insecure networks requirement, with steps you can assign, artifacts to collect, and the exam questions you should expect.

Regulatory text

Framework requirement (excerpt): “CIS Controls v8 safeguard 14.8 implementation expectation (Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks).” (CIS Controls v8; CIS Controls Navigator v8)

Operator interpretation (what you must do)

You must implement workforce training that specifically addresses:

• The danger of connecting to insecure networks (typical example: open/public Wi‑Fi).
• The danger of transmitting enterprise data over those networks.
• The approved safe behaviors and escalation paths employees must follow (for example, “use corporate VPN,” “use approved hotspot,” “do not upload customer data from public Wi‑Fi,” “contact IT for secure access”). (CIS Controls v8; CIS Controls Navigator v8)

A practical reading: auditors will look for (1) training content that directly covers insecure networks and data transmission risk, (2) proof the workforce completed it, and (3) signs the training maps to how your organization actually works rather than a generic slide deck. (CIS Controls v8; CIS Controls Navigator v8)

Plain-English interpretation of the requirement

Employees connect from everywhere: airports, hotels, coffee shops, client sites, and home networks you do not control. Insecure networks increase the chance of eavesdropping, session hijacking, rogue access points, and accidental data exposure. Safeguard 14.8 expects you to reduce that risk through training that changes behavior at the moment of connection and transmission. (CIS Controls v8; CIS Controls Navigator v8)

Training is not a substitute for technical safeguards, but it is a required layer because your controls will never cover every edge case (personal devices, travel, outages, third-party networks, and human workarounds). (CIS Controls v8; CIS Controls Navigator v8)

Who it applies to

Entities

This applies to enterprises and technology organizations implementing CIS Controls v8, especially those with remote work, mobile workforces, or regular handling of sensitive enterprise data outside controlled facilities. (CIS Controls v8; CIS Controls Navigator v8)

Operational contexts where it matters most

• Hybrid/remote staff accessing SaaS, email, collaboration tools, and internal apps from home or public spaces.
• Traveling employees using hotel or airport networks.
• Field operations (service technicians, sales teams) relying on customer networks.
• Developers and admins performing privileged tasks remotely.
• Third parties (contractors, consultants) who access or handle enterprise data under your direction. (CIS Controls v8; CIS Controls Navigator v8)

What you actually need to do (step-by-step)

Step 1: Define scope in operational terms

Create short definitions that can be embedded in policy and training:

• Insecure network: list concrete examples (open Wi‑Fi, unknown SSIDs, “guest” networks without encryption, captive portal networks) and clarify that “encrypted Wi‑Fi” is not automatically “trusted.”
• Enterprise data: align to your data classification scheme (customer data, employee data, financials, source code, security logs, credentials, regulated data).
• Transmission: email, file upload, chat attachments, screen sharing, copy/paste into web apps, admin console access, remote desktop sessions. (CIS Controls v8; CIS Controls Navigator v8)

Deliverable: a one-page “Remote Connectivity Rules” standard that your training can reference.

Step 2: Set clear required behaviors (do/don’t) with approved alternatives

Write requirements employees can follow without interpretation:

• Do: use approved VPN/secure access, confirm network identity, use corporate hotspot where provided, use MFA, report suspicious captive portals/SSIDs.
• Don’t: access sensitive systems or transmit enterprise data over open/public Wi‑Fi without approved protections; don’t bypass VPN “to make it faster”; don’t share files through personal accounts on public networks.
• If you must: define an escalation path (“If you cannot connect securely, stop and contact IT/service desk for options”). (CIS Controls v8; CIS Controls Navigator v8)

Tie these behaviors to existing policies (acceptable use, remote access, data handling, incident reporting).

Step 3: Build training that is scenario-based and role-aware

Minimum content elements to cover:

• Threat scenarios: evil twin Wi‑Fi, passive sniffing, man-in-the-middle, credential capture via spoofed portals, accidental exposure from misconfigured sharing.
• Decision cues: “If you see X, do Y.” Examples: “If the Wi‑Fi name looks generic, don’t connect”; “If VPN fails, do not proceed with sensitive work.”
• Approved secure methods: VPN steps, secure remote desktop, approved cloud storage, encrypted email where applicable, mobile hotspot guidance.
• Reporting and response: how to report suspected exposure, what information to capture, what to do immediately. (CIS Controls v8; CIS Controls Navigator v8)

Role targeting (practical):

• Privileged users (IT/admin/devops): add rules for admin access, secrets handling, and emergency access from remote locations.
• Customer-facing teams: add rules for sharing customer files, screen sharing, and handling customer networks.
• Executives: cover high-risk travel patterns and delegation habits (assistants handling files on the road). (CIS Controls v8; CIS Controls Navigator v8)

Step 4: Deliver training through controlled channels and require acknowledgment

Operational choices that hold up in audits:

• Use your LMS or equivalent system that produces completion logs.
• Require annual training plus event-driven training for hires, role changes, and policy changes.
• Include an acknowledgment/attestation that employees understand and will follow remote connectivity rules. (CIS Controls v8; CIS Controls Navigator v8)

Step 5: Make the control provable (map to control operation and recurring evidence capture)

Create a control statement and an evidence cadence. The CIS-aligned implementation note to follow is: map 14.8 to documented control operation and recurring evidence capture. (CIS Controls v8; CIS Controls Navigator v8)

What “recurring” should mean in practice:

• A defined schedule for training runs.
• A repeatable report/export from the LMS.
• A review step where compliance/security signs off on completion status, exceptions, and follow-ups.

Daydream fit: many teams use Daydream to convert training obligations into a documented control with an evidence checklist, ownership, and recurring collection tasks, so you do not rebuild proof every audit cycle.

Step 6: Add effectiveness checks (lightweight but real)

CIS 14.8 is training-focused, but auditors still ask, “How do you know it works?” Use checks that generate artifacts:

• A short quiz with scenario questions and pass/fail remediation.
• Targeted follow-up messages after travel seasons or major remote access changes.
• A helpdesk tag/category for “secure remote access/public Wi‑Fi” requests to show training drives safer escalation. (CIS Controls v8; CIS Controls Navigator v8)

Step 7: Manage exceptions and third-party coverage

• Document exceptions (for example, legitimate operational cases) with compensating controls and approval.
• Ensure contractors with access to enterprise data complete equivalent training or are contractually bound to your training and connectivity rules. (CIS Controls v8; CIS Controls Navigator v8)

Required evidence and artifacts to retain

Keep evidence that answers: what you trained, who you trained, when, and what happened when people didn’t comply.

Training design

• Training module content (slides/video/script), version history, and change log.
• Learning objectives mapped to insecure network and transmission risks. (CIS Controls v8; CIS Controls Navigator v8)

Training delivery and completion

• LMS assignment records (population, roles, due dates).
• Completion reports with timestamps.
• Attestations/acknowledgments.
• New hire completion evidence. (CIS Controls v8; CIS Controls Navigator v8)

Effectiveness

• Quiz results and remediation workflow evidence.
• Copies of targeted communications (travel reminders, VPN requirement reminders).
• Helpdesk metrics are fine as qualitative support, but retain the underlying ticket samples or exports if you reference them. (CIS Controls v8; CIS Controls Navigator v8)

Governance

• The written standard/policy defining insecure networks, in-scope data, and required behaviors.
• Exception register and approvals.
• Control operating procedure and an evidence collection checklist (what is collected, by whom, how often). (CIS Controls v8; CIS Controls Navigator v8)

Common exam/audit questions and hangups

Expect these, and prepare your evidence folder to answer them quickly:

1. “Define ‘insecure network’ for your organization.” If your definition is vague, auditors treat training as generic and incomplete. (CIS Controls v8; CIS Controls Navigator v8)
2. “How do you ensure remote workers understand what to do on public Wi‑Fi?” Show scenario content plus required behaviors and escalation steps. (CIS Controls v8; CIS Controls Navigator v8)
3. “Who is in scope, and how do you ensure coverage for contractors?” Produce audience lists and third-party training/attestation approach. (CIS Controls v8; CIS Controls Navigator v8)
4. “Show completion evidence and how you follow up on non-completion.” Have a repeatable report and documented chase process. (CIS Controls v8; CIS Controls Navigator v8)
5. “How do you keep training current?” Show versioning and update triggers (VPN changes, remote access architecture changes, policy updates). (CIS Controls v8; CIS Controls Navigator v8)

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Fix
Training says “avoid public Wi‑Fi” but gives no approved alternative	People will work around it	Provide “approved connectivity” options and a help path (VPN, hotspot, secure remote desktop) (CIS Controls v8; CIS Controls Navigator v8)
No definition of enterprise data	Employees can’t judge risk quickly	Map training to your data classification and provide examples by role (CIS Controls v8; CIS Controls Navigator v8)
Completion tracked, content not retained	You can’t prove what was taught	Store the module, version, and objectives with the completion report (CIS Controls v8; CIS Controls Navigator v8)
Contractors ignored	Data still moves through third parties	Contractual training requirement or equivalent controls; keep attestations (CIS Controls v8; CIS Controls Navigator v8)
“One-and-done” training	Risk is recurring (travel, remote work changes)	Add refreshers triggered by policy/tech changes and periodic reminders (CIS Controls v8; CIS Controls Navigator v8)

Enforcement context and risk implications

No public enforcement cases were provided for this specific safeguard in the supplied source catalog, so you should frame risk in practical business terms rather than citing enforcement outcomes. (CIS Controls v8; CIS Controls Navigator v8)

Operational risk you are controlling:

• Unauthorized access to enterprise accounts from compromised networks.
• Exposure of sensitive files or credentials during remote work.
• Incident response complexity when you cannot trust the network path used for access. (CIS Controls v8; CIS Controls Navigator v8)

A practical 30/60/90-day execution plan

First 30 days (foundation)

• Assign control ownership (Security Awareness owner + GRC control owner).
• Draft/approve definitions: insecure networks, enterprise data, required behaviors.
• Inventory in-scope populations (employees, temps, key contractors).
• Build an evidence plan: what reports you will export and where they will be stored. (CIS Controls v8; CIS Controls Navigator v8)

Days 31–60 (build and launch)

• Develop or update the training module with scenario content and role variants.
• Configure LMS assignments and acknowledgment workflow.
• Publish a short “Remote Connectivity Rules” job aid.
• Stand up an exception process and register. (CIS Controls v8; CIS Controls Navigator v8)

Days 61–90 (prove operation)

• Run the first training campaign to required populations; chase non-completions.
• Collect and package evidence (content version + completion export + quiz results).
• Run an effectiveness check (scenario quiz analysis and remediation actions).
• Document the control operation and set recurring evidence collection tasks in your GRC system (Daydream can store the control narrative and evidence checklist so future audits are a pull, not a scramble). (CIS Controls v8; CIS Controls Navigator v8)

Frequently Asked Questions

Does safeguard 14.8 require VPN training specifically?

The safeguard requires training on the dangers of insecure networks and transmitting enterprise data over them, plus what employees must do instead. If VPN is your approved secure method, training should cover when and how to use it. (CIS Controls v8; CIS Controls Navigator v8)

What counts as an “insecure network” for audit purposes?

Define it in your standard using concrete examples employees encounter (open public Wi‑Fi, unknown SSIDs, guest networks). Auditors look for clarity plus alignment between the definition, the training content, and actual workforce behaviors. (CIS Controls v8; CIS Controls Navigator v8)

Do we need separate training for privileged users?

CIS does not mandate separate modules, but privileged access from untrusted networks carries higher impact. A role-based addendum for admins and engineers is a practical way to show coverage is risk-aligned. (CIS Controls v8; CIS Controls Navigator v8)

How do we cover third-party contractors under this safeguard?

If contractors access or handle enterprise data, include them in training or require equivalent training contractually and retain attestations. Ensure your evidence clearly shows who is covered and how. (CIS Controls v8; CIS Controls Navigator v8)

What evidence is “enough” if we do live training sessions instead of LMS modules?

Keep the session deck/script, attendee list, date/time, and acknowledgment method, plus any quiz or follow-up actions. Auditors still expect recurring, reproducible evidence rather than one-off calendar invites. (CIS Controls v8; CIS Controls Navigator v8)

How do we show the training is effective without inventing metrics?

Use artifacts that naturally come from execution: quiz results and remediation records, targeted communications, and helpdesk escalation examples tied to secure remote access. Avoid unsupported numeric claims; keep it evidence-based. (CIS Controls v8; CIS Controls Navigator v8)