Published

January 14, 2019
0 Shares

How to Engage Employees in a Cybersecurity Culture

The value of a strong cybersecurity program is hard to estimate. That is, until a breach occurs. Then, it’s priceless. In an era of heightened data privacy concerns among consumers, with breaches costing companies billions of dollars in fines and tarnished reputations, is it enough to simply implement the latest security technology? A quick scan of last year’s breaking tech stories suggests not.

Today, organizations need to build and nurture a culture of security within their workforce. It is much easier said than done. According to a survey by Intermedia, 99% of employees reported prioritizing personal convenience over enterprise security. Today’s employees need to internalize the fact that technology alone can only do so much. Adopting basic cybersecurity protocols must become a part of the workforce’s daily routine. To make this happen, organizations need to work closely with their employees, and create a culture that promotes the values and principles of an organization-wide cyber defense.

Here are a few steps organizations can take if they want to engage their employees in cybersecurity culture.

#1 Focus on the Basics

A survey by CompTIA discovered that nearly 50% of surveyed employees have never received cyber security training. Combined with the fact that even today, 96% of employees regularly save passwords on devices instead of manually entering their credentials, 64% send work documents to their personal email, 57% save work documents on their desktops, and 49% continue to access company documents after leaving a company (Intermedia). There is clearly cause for concern.

To start weeding out these practices, and others like it, cybersecurity measures need to be a mandatory part of new employee orientation. The training needs to be engaging, relevant to what they do, and assume absolutely no pre-existing awareness on cybersecurity. In situations like these, it always helps to start small, and work your way up to more complex topics.

Begin with the basics:

  • Password policies
  • Data storage policies
  • Mobile device policies

Then move on to:

  • Remote data access policies
  • Response strategy in the event of a breach
  • Training on cyber vigilance e.g. how to spot a malicious email or website.

#2 Assist remote employees

The modern workplace gives employees the freedom to work from any location they choose, as long as they stay connected and accessible. Employees need to understand that this privilege is contingent on them maintaining open and reliable channels of communication with the IT department. It’s not uncommon to find remote employees resorting to using IT workarounds or shortcuts with work files or critical customer data. This has to be discouraged at all costs. Once outside the zone of your organization’s firewalls, the data used by remote employees (or employees taking their work home) is vulnerable and susceptible to attack. This poses a significant security risk. To combat this, organizations can set up a Virtual Private Network (VPN) that ensures a secure interface between company data and telecommuting employees.

In general, employers must be aware that a remote workforce needs additional measures to reduce the potential for a cyberattack and consequent data loss. Organizations with a Bring Your Own Device (BYOD) policy also face the same risk. External bad actors can easily exploit these scenarios.  Organizations can respond by creating and enforcing strong BYOD protocols. Take a proactive stance and help your employees secure their devices and connection with the enterprise using the right technologies with updated software and security measures.

#3 Make security training engaging

According to the Netwrix 2017 IT Risks Report, 37% of respondents opined that insufficient staff training leads to difficulties in implementing a more efficient IT risk strategy. Security training can be so much more than droning instructional videos and snooze-worthy PowerPoint decks.

Here’s what Uber has to say: Pick a fun theme and parody it. It’s a worthwhile notion, since research has shown that gamification of training practices yields positive results. Activities like “a phishing writing workshop” for example can help employees understand what they’re up against and give them a more personal stake in how they deal with it. The options are endless once you start thinking outside the box.

#4 Embrace organizational security from the top down

Nearly 43% of breaches are a result of internal factors with the average data breach costing nearly $4 million. This reality demands an enterprise-wide commitment to cybersecurity and must become a shared responsibility. Business leaders need to go beyond hosting security awareness programs and set an example. The most effective leaders are visible, empathic, and approachable. When driving cybersecurity policy, they need to take the same tact: ready to engage in-person, answer queries, and put a human face to the organization’s concerns. Senior executives should also encourage middle management to do the same and disseminate and practice security practices on a daily basis.

#5 Encourage employees to report incidents

Forbes reports that the global cost of handling cyberattacks is expected to increase from $400 billion now to $2.1 trillion by 2021. Combating cyberattacks is a team sport. Turn the daily users of your organization’s data and technology into security guards. Encourage all employees to report any suspicious activities they encounter, without having to fear the consequences. Create an environment where employees feel safe and confident in reporting suspicious activity (or accidents) without worrying about retribution or blame.

Reporting of cyber incidents should be painless and fast, preferably directly to the IT department, and with minimal red-tape. Managers must acknowledge team member(s) who helped detect a problem through an all-staff email or announcement. This will motivate others to do the same in a similar situation. And in case someone needs to report a fellow colleague’s suspicious activity, you can even consider offering employees anonymity.

#6 Learn from the past

Even if lapses in judgment have occurred in the past, it’s important to take stock, course-correct, and move forward. Organizations should take a retrospective approach to analyze progress and conduct reviews of the last quarter or six months to evaluate how far they’ve come. If a cybersecurity initiative has stalled or not gone according to plan, consider the following possibilities:

  • Was the messaging irrelevant or buried in jargon?
  • Was the rollout not well planned?
  • Would a different strategy have worked better for your workforce?
  • How can you improve and incentivize employees to be more involved?

Technology changes constantly and only by regularly reviewing the ongoing trends, both internally and externally, can organizations remain primed and ready.

#7 Make peace with mistakes

Every 40 seconds a business falls victim to a ransomware attack. By 2021, cybercrime will cost the world more than $6 trillion annually, claims Cybersecurity Ventures. It may sound fatalistic, but data is the new oil, and if your organizations deals in consumer data, you are, at some point in time, likely to be the target of a cyberattack. The question is, how do you fortify your defenses and become invulnerable? And if you do ultimately succumb, how quickly can you recover with minimal damage? The answer partly lies in the vigilance of your workforce. You will need to fall back on your employees for the success of your cybersecurity initiatives.

When mistakes or careless errors occur, use them as teaching moments, instead of assigning blame (and punitive action) or worse, sweeping them under the rug. Such transparency will highlight the need for continual training and provide opportunities for further improvement, while keeping employee culture at the center of the overall initiative of cybersecurity. Cybersecurity is no longer an IT problem. It is an enterprise-wide priority.

Comment below: What are some cybersecurity red flags that are often overlooked?

Additional Resources: