You have the best cybersecurity tools and processes in place that your budget allows. You are constantly monitoring and educating yourself on new security threats. You even have a robust training programme in place for your team to avoid falling victim to the worldwide cybersecurity skills shortage.
But if your workforce isn’t following the basics of good cyber hygiene, such as avoiding engaging with suspicious emails, all your hard work could be wasted.
So how can you educate (and influence) them to follow cybersecurity best practice if they don’t already? Here are our tips.
Expecting your workforce to be educated on cybersecurity best practice is naïve and risky. Here’s why. Let’s assume your workforce comprises three groups of people: new starters straight from school or university; new joiners from another company; and existing employees. For group 1, it’s the first time they have been given access to company property and large servers and files so they won’t have had any training prior to joining. For group 2, they may have had training at their previous company but you cannot be certain of its quality or its relevance to your systems. And for group 3, unless you provide compulsory state-of-the-art cybersecurity training to all employees and assess their learning as part of the process, you cannot be certain of their knowledge either. As a result, it’s probably safe to assume that awareness of cybersecurity best practice is low.
Therefore before launching into an impassioned speech about password security, you need to make sure everyone is clear on the basics.
People process information better when it’s in a way that makes sense to them. So instead of concentrating on the technicalities and jargon, simplify your message and put it into terms everyone can understand. Statistics will help here too.
For instance, instead of stating rules about what they can and can’t do, you could mention how many new phishing emails are sent out every day and what the implications of engaging with these are.
It sounds simple, but it’s an easy step to get wrong. It’s not enough just to put a few slides together and say “that’s your cybersecurity training sorted”; you need to give them extensive insight into how their actions can impact the organisation’s security. The more interactive and immersive you can make the training, the better, and if offered online, for an employee to do when it suits them, it will take less time for every employee to complete it. Not only that, but you can add it as an onboarding step for new starters by sending them a link to the training during their first week at the company.
Your employees should also be tested (either formally or informally) to see how much they’ve actually retained from the training.
We also recommend having a secure internal communication channel in place so employees can ask questions about what they’ve learned and be reassured it’s safe to do so.
Every company is different and teams operate differently too. That is why it’s worthwhile speaking to the training company you choose to understand if they can tailor their programs to meet your exact needs. Pay attention to BYOD too as it could be the case, particularly given the Covid-19 pandemic, that staff could still be using their own computers or smartphones for work purposes.
It will also be the case that some of your departments rarely use computer systems in their roles. While they still need to know cybersecurity best practice, they should be provided a less extensive level of training.
Your workforce already has enough responsibilities to take care of in their roles and now you want them to add security to the pile too? Given that this will be seen by some as requiring extra effort and time, help them see how they will benefit from the process. For example, completing all training and achieving high test scores could be looked on favourably in their annual reviews. Or perhaps the team that demonstrates the greatest conscientiousness in terms of security best practice gets a reward of a lunch trip paid for by the company. At a price of $50-100 per head for the lunch, it will act as a huge incentive for employees and costs significantly less than a security breach would.
If you’d rather not provide financial incentives to employees for embracing their new security responsibilities, then why not look at rewards of a different kind? Gamify your security education by offering points or level status to the first person who spots an unusual email, provides help on your internal security comms channel or flags the latest cyber trends? You can also create badges for internal email signatures that demonstrate an employee’s awareness level or “status”.
It’s no secret that leading by example is a good way to influence others. If you’re following best practices, your employees are more likely to do the same. The same applies for the board and leadership teams. Ensure that every senior member of staff has completed their cybersecurity training and encourage them to share some of their learnings either in a company-wide email or on an internal comms platform if you have one.
Bad things happen. Even if you’re following all the best practices, your company could still be attacked. This is why it pays to have a cyber incident response plan in place so employees know what to do when it happens. This should include the information you should send them on how they can protect their data, how they can continue work (if at all) and who to speak to should they spot further problems.
Keeping up with cybersecurity best practices and educating your workforce is the key to protecting your business from cyberattacks. We hope our tips help you to get employees on board, but if you need further help in making your vulnerability remediation efforts more effective, we’d love to help.