As we mention in our article about Cybersecurity frameworks, everyday employees are often the target of cybercriminals who intend to circumvent common and advanced security controls such as firewalls and intrusion detection systems. Because of this, it is important to think about the most effective ways to ensure that employees develop a thorough understanding of cybersecurity and their role in protecting company assets.
Regardless of the quality or quantity of policies and procedures or technical controls in place, statistics show that a security breach is still likely to occur if employees are not properly trained on their role in cybersecurity. So how do you get your employees involved and interested in helping protect critical company assets? There is no foolproof methodology, but our experience with our clients has shown some common successful themes:
Ways to Engage Your Employees in a Cybersecurity Culture in the Workplace
Tap Into Who Your Employees Are To Gain Ownership: Make security personal. Deep down inside, your employees are very concerned about their own personal identity and well-being; why shouldn’t they exercise the same care when it comes to their work identity or company information? Training employees on what they can do to protect their own information and how important it is will easily translate to the workplace. If you can get your employees interested in protecting themselves, their family and their own computer or device, it is going to translate to your business. After all, anything that harms the business can ultimately harm them.
Regularly Communicate Related Cybersecurity News: Be selective with cybersecurity-related news and communicate relative and meaningful notes and stories to your employees early and often to ensure continued awareness. Showing them what can go wrong will make your employees think twice about what they do on a daily basis and they will be less likely to repeat the mistakes of others.
Develop Effective Awareness Material: Awareness material usually isn’t effective unless it is fun. We often encourage our clients to work with their marketing department to develop professional yet memorable training materials or posters tailored for their organization. Additionally, it’s always a good idea to include cybersecurity awareness material in a new-hire packet and within the IT policies for new-hire acknowledgment. This will ensure that employees are trained on the topic from day one.
Measure Awareness: Measure your cybersecurity awareness program by regularly testing your organization’s security posture and susceptibility to common attacks. For example, phishing is a very common attack that leads to the majority of breaches today. A phishing attack occurs when an employee is sent a misleading email that will dupe them into clicking on a malicious link or revealing personal or confidential information, which an attacker can use illicitly. We recommend running controlled phishing simulation assessments on a regular basis to train your employees about how to recognize phishing attacks. You can then track any improvements or regression as your awareness program matures, and ultimately, measure the effectiveness.
Act Upon Policy Violations and Award Advocates: It is important to make employees accountable for violations to company security policies, but it’s important to do so in a way that will not alienate those individuals. For example, use situations where they may have done something wrong as a “teachable moment” rather than punishing them. On the flip side of that, reward your employees who take care to follow good security practices with a gift card or a certificate of achievement that they can display.
An organization’s greatest weakness can be an uneducated or unsympathetic employee who treats company data with no care. Change the mindset at your organization and make your employees advocates of security.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.