Making employees love cyber security
How can you make your employees care about cyber security?
Protecting you computers and networks and the data that they contain is a complex issue. If you are to have any chance of success, then the attitudes of your employees towards cyber security is an important factor.
There are a number of actions that you can take to get your employees to understand what the problem is and to help them to become your greatest asset. The first thing that you need to do and to be able to demonstrate is that you have gained buy in from the top of your organisation. If the management is not actively supporting the activity, why should the employees?
Make sure that you have a cyber security policy and that everyone has read it. Ensure that it addresses, as a minimum, specific rules for email, internet browsing, social networks and mobile devices.
Put in place a cyber security awareness training programme that employees are exposed to from the time that they joins the organisation. That way new employees, from the time they start, begin to understand that cyber security is important, and that they are going to be given continuous awareness and training. Do not forget that training needs to be comprehensible and people-friendly. Cybersecurity may seem daunting to many of your employees, so a good approach is to break it into small sections and be SMART with your targets – the should be specific, measurable, actionable, relevant and time-constrained. The training needs to be delivered continuously throughout the year, at all levels of the organisation.
A good place to start is when a new employee is inducted – make reading the policy part of the process. After that, all employees should read it again at regular intervals (perhaps as part of an annual review?) to make sure that they are up to date. Keep your security policy simple and concise so that employees will be able to read it and digest the core security messages.
As a part of the awareness and education programme, clearly communicate the potential impact of a cyber incident on your organisation. You can also explain the potential consequences of everyday activities and bad habits and use examples to illustrate the points. For example, you could use scenarios such as what could happen if someone accessed work documents over an open Wi-Fi network in a cafe, or opened personal emails on a work device. You should also highlight the risks of revealing personal information on social media sites, such as the partner’s or kids’ names, memorable dates, etc. which may give an insight into passwords used for work applications? The majority of users do not even realise how they’re potentially undermining your business through everyday (mis)behaviours.
Make cyber security everyone’s responsibility. Include management and the IT staff in your education programme. The more senior an employee, the more information they typically have access to, making them a more attractive target to cyber criminals. IT staff have even greater power over the network, so ensure that complacency doesn’t set in.
Plan how to best to communicate cybersecurity information to all employees and get all departments on board with both training and learning best practices.
Reward good behaviour by employees. For example, reward users that find malicious emails, and share stories about how users have helped to identify and prevent security issues,
If an employee makes a mistake, be understanding – after all, it is better to get the staff to report breaches than to try to hide them for fear of repercussions. However, if one employee or group of employees seem to be having a lot of security issues, look into it and identify the cause so that you can take remedial action.
Help employees understand the importance of cyber hygiene not just in the workplace, but also at home. Teach them about privacy, security, and show them how the lessons learned at work can be applied in their home and in their personal lives. This should help to get them to adopt good practices and give them some useful knowledge for their personal lives.
Tailor the training to help your employees to recognise and respond to a cyber attack and give them information on how to report an incident. For example, provide an emergency contact number to alert the system administrator to any suspicious emails or unusual activity, or for the reporting of a lost device.
Mobile Devices have become an increasingly important business tool but with them comes a new set of cyber threats. Consider making sure that your employees have password-protected devices, encrypt emails, and approved security applications to help keep the mobile data safe.
Carry out evaluations of both employees and systems to find out how vulnerable your organization is to an attack.
While there is no fool proof method to protect your business, educating your employees about security threats and best practices for online behaviour and privacy can at least reduce the likelihood of a breach caused by human error.
Keep security simple.