Cyber security is a top concern for every company. As the CISO, leading the charge to keep your company secure from hackers and attacks falls squarely on your shoulders, but it’s certainly not a job you can do on your own. Security and the measures your company takes to remain as secure as possible are company-wide tasks. Every employee, from assistant to manager to CEO, needs to take part in the process.
Each employee should know that they are accountable, but for those who aren’t part of the security team, that can sound scary, and the last thing you want is for someone to be too afraid to report an issue. The best way to get buy-in from each person is to create an educational environment that makes everyone cyber smart.
Below we’ll cover tried and tested tactics that you can quickly implement to keep security at the forefront of every employee’s mind, instantly boosting one of your most important lines of defense.
Make Security Part of the Onboarding Process
Onboarding procedures for new employees usually consist of office tours and meetings with human resources, department executives, and team leaders. You should insist that meeting with a security team member to go over the company’s cyber security policies becomes part of the onboarding process. During that session, discuss security concepts and hacker tactics such as phishing emails. Go over password creation protocols, how to enable firewall protection in the office and at home, and the importance of installing software updates and creating backup files.
Use False Campaigns for Educational Purposes
Sometimes, even employees aware of common scams engage with dangerous emails, popups, or fake phone calls. Often, it’s because they were rushing through a task or simply let their guard down for a moment. Either way, the impact can be disastrous. One way to test people’s responses is to launch false campaigns or attacks. Share the experiment results with the company but don’t point the finger at specific employees as this will hinder future reports. Instead, keep it general by saying, ‘X% of people engaged with this threat.” Then, explain which elements should have indicated that something was ‘off,’ show them the attack path, and what could have happened if it had been an actual attack.
Educate, Then Educate Again
Education is an ongoing process because the human brain can only absorb so much information at once. Did you know that people retain less than 50% of the information they are taught after one hour? After a day, 70% of what was covered in a training session is forgotten. The brain and memory work best by building on existing knowledge, so set shorter security sessions more often to ensure the information sinks in and is learned. Whether you hold cyber meetings each month, each quarter, or bi-yearly, it’s essential to reiterate information and educate people about new threats regularly.
Always strive to present info engagingly, create an interactive explanation, or draw a direct correlation to how people can apply the lessons to their personal lives, all of which will help them internalize the information. For example, show a seemingly harmless photo of a team having lunch but include a whiteboard with sensitive information in the background. Ask if there could be a potential risk if they shared that image on social media. Then connect it to their lives. Many of them probably have notes all over their homes with passwords and log-in credentials that could appear in the selfie they just posted to Instagram.
Make Reporting a Positive Experience
There’s nothing worse than the fear that can strike an employee in the heart after they realize they have engaged with a potential security threat. Many will try to ignore the situation to avoid getting in trouble. You must create an environment that triggers the opposite reaction. People need to know that they won’t be punished for reporting an issue or mistake. Establish a simple process and create a culture that encourages reporting even if the employee isn’t sure something happened; the security motto should be ‘better safe than sorry’ to eliminate any hesitancy. Finally, follow up with the person directly and let them and the company know about the positive impacts reporting has.
Instill Proactive Approaches
You need to promote a security perspective that focuses on how to work securely in addition to how to avoid threats. If your employees can start out being proactive, the number of reactive steps they will need to take will automatically be reduced. For example, instead of having a blanket policy of no working from home because you can’t control their home security setup, teach them how to work from home securely. Have a step-by-step guide they can keep on file that guides them through any process such as securely logging into systems and setting up firewalls or VPNs.
Be Reachable, Be Welcoming
To strengthen your security posture, every employee needs to take steps to protect the company. However, people don’t know what they don’t know. Educating employees is your responsibility but following through and acting on that education is theirs. The more communicative and accessible you are, the more engaged and aligned employees will be with your goals for the company. In the end, if your policies and expectations are clearly explained, you take the time to reinforce information, and you acknowledge and praise people for coming forward, you’ll establish a cyber smart company in which employees feel empowered, and that’s exactly what you want when it comes to strengthening your first line of defense.