Developing a Cybersecurity Culture in the Workplace

Cybersecurity|Large Companies

By Eric Fair

As we mention in our article about Cybersecurity frameworks, everyday employees are often the target of cyber criminals who intend to circumvent common and advanced security controls such as firewalls and intrusion detection systems.  Because of this, it is important to think about the most effective ways to ensure that employees develop a thorough understanding of cybersecurity and their role in protecting company assets.  

Regardless of the quality or quantity of policies and procedures or technical controls in place, statistics show that a security breach is still likely to occur if employees are not properly trained on their role in cybersecurity. So how do you get your employees involved and interested in helping protect critical company assets?  There is no foolproof methodology, but our experience with our clients has shown some common successful themes:

Ways to Engage Your Employees in a Cybersecurity Culture in the Workplace

  1. Tap Into Who Your Employees Are To Gain Ownership: Make security personal.  Deep down inside, your employees are very concerned about their own personal identity and well-being; why shouldn’t they exercise the same care when it comes to their work identity or company information?  Training employees on what they can do to protect their own information and how important it is will easily translate to the workplace.  If you can get your employees interested in protecting themselves, their family and their own computer or device, it is going to translate to your business.  After all, anything that harms the business can ultimately harm them.
  2. Regularly Communicate Related Cybersecurity News: Be selective with cybersecurity-related news and communicate relative and meaningful notes and stories to your employees early and often to ensure continued awareness. Showing them what can go wrong will make your employees think twice about what they do on a daily basis and they will be less likely to repeat the mistakes of others.
  3. Develop Effective Awareness Material: Awareness material usually isn’t effective unless it is fun.  We often encourage our clients to work with their marketing department to develop professional yet memorable training materials or posters tailored for their organization. Additionally, it’s always a good idea to include cybersecurity awareness material in a new-hire packet and within the IT policies for new-hire acknowledgment. This will ensure that employees are trained on the topic from day one.
  4. Measure Awareness: Measure your cybersecurity awareness program by regularly testing your organization’s security posture and susceptibility to common attacks. For example, phishing is a very common attack that leads to the majority of breaches today.  A phishing attack occurs when an employee is sent a misleading email that will dupe them into clicking on a malicious link or revealing personal or confidential information, which an attacker can use illicitly. We recommend running controlled phishing simulation assessments on a regular basis to train your employees about how to recognize phishing attacks. You can then track any improvements or regression as your awareness program matures, and ultimately, measure the effectiveness.
  5. Act Upon Policy Violations and Award Advocates: It is important to make employees accountable for violations to company security policies, but it’s important to do so in a way that will not alienate those individuals.  For example, use situations where they may have done something wrong as a “teachable moment” rather than punishing them.  On the flip side of that, reward your employees who take care to follow good security practices with a gift card or a certificate of achievement that they can display.

A organization’s greatest weakness can be an uneducated or unsympathetic employee who treats company data with no care.  Change the mindset at your organization and make your employees advocates of security.

Visit the Schneider Downs Our Thoughts On blog for more articles about cybersecurity and contact us with questions for our cybersecurity team.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.