Participating in your staff’s skills and encouraging them to think about ways to improve safety can have a huge impact.
(Image courtesy of monkeybusinessimages / bigstockphoto.com)
The idea that company security depends on the IT department or a small team of information professionals is obsolete and dangerous. The potential attack surface of most organizations has never been greater thanks to the proliferation of devices and applications, the blurring of the line between personal and work life, and the rapid rise of remote work.
Social engineering techniques often trick employees at all levels of an organization into avoiding security systems. According to research from Stanford University, human error is the leading cause of data breach, accounting for 88%. While a company may not accept that all employees should be part of its security efforts, there is no doubt that threat actors see them all as potential targets.
Look at how financial institutions have mobilized customers to verify suspicious transactions. People respond because they care and are often better placed to identify problems. This same logic can be applied to your cybersecurity efforts, as Forcepoint product manager Nico Popp recently pointed out to CyberWire. With a little planning and training, you can hire everyone to nullify the specter of cyberattacks that evade technical guarantees.
This is a definite cultural change that requires companies to ensure the reception of employees. It is important to rethink security efforts and move away from employee supervision. There must be some accountability, but punitive action is largely ineffective; it can even prevent employees from avoiding reporting incidents for fear of disciplinary action.
It will take time and effort, but there are clear steps that can be taken to foster collaboration and build a spirit of group responsibility.
The first step should be a comprehensive safety awareness training program. People need to be familiar with the different threat scenarios and establish clear procedures in case of suspected incident. Start with some analysis of previous data breaches and cyberattacks to determine the areas that pose the greatest risk to your business and focus early training on relevant scenarios. Safety awareness training should be a continuous process on a regular basis. Your program needs to evolve over time to take into account new developments and emerging threats.
Awareness is also about making security a part of all conversations. Whether there is a product under development, a new collaboration agreement with third parties, or whether you are adopting a new software system, security must be taken into account and taken into account from the outset. When you challenge everyone to consider the impact that different actions will have from a security standpoint, the company culture will begin to shift toward security.
Make it fun and engaging
Perhaps the biggest mistake organizations make with security training is using dry, boring materials and delivery systems. Ask employees to follow and read a long document or listen for an hour to someone talking about a safety challenge that is not relevant to their job role and that you can expect to be mentally extinguished. There’s no reason why training isn’t fun or even fun.
Mix the program to include different types of media. Try interactivity whenever possible. Use mock-ups that fit what employees are likely to find on a daily basis. Try to tailor your training to be relevant to specific roles and the unique challenges they face. When safety incidents occur, exploit them as learning opportunities and model good safety hygiene.
Consciousness alone is not enough; it must be supported by clear processes and reporting tools. Teaching employees what to look for and making it easier for them to report suspicious activities will drastically reduce the risk of many types of security incidents.
Offer a return on investment
At the end of the day, the board always looks for the ROI. They want to know that the resources they have committed have had a positive impact. But that also happens with employees and their time and effort. To measure the effectiveness of your training, you need regular testing with realistic scenarios. You also need to reward the behavior you want to see. If an employee correctly identifies a fishing attack, for example, publicly praise it and reward it with vouchers or cash.
In addition to the potential cost and damage that a data breach can cause, the cost of a good training program and reward incentives for employees is negligible. Simply committing resources to security in this way sends a clear message about their value to the company. It is an effective path to a strong safety culture where everyone takes responsibility.
Participating in your staff’s skills and encouraging them to think about ways to improve safety can have a huge impact. People understand their own departments and functions much better than outsiders, so they will often find the most efficient ways to tighten security standards. All employees have something to contribute, just get involved and make them think about safety.
About the author
Stu Sjouwerman is the founder and CEO of KnowBe4, a developer of safety awareness training and simulated fishing platforms, with more than 37,000 customers and more than 25 million users. KnowBe4 also offers a KCM GRC platform that provides templates already prepared for rapid conformity assessments and reporting. Sjouwerman was previously a co-founder of Sunbelt Software, the antimalware software company acquired in 2010. He is the author of four books, the latest of which is “Cyberheist: The Biggest Financial Threat Facing American Businesses.” You can contact him at email@example.com.