It’s a well-established truth that an organization’s workforce plays a hugely important role in reducing cyber risk, with 85% of cyber-attacks happening as a result of human error. While technological solutions are a useful way of mitigating the threat, in reality it matters very little if your employees are not following best practice and being cyber aware as they go about their daily work activities.
So how do you engage your workforce and make them see just how important it is for your organization to be proactive about cyber security? Let's find out:
1. Give them the facts
Often, company employees are quite relaxed when it comes to cyber security, but this is largely because they lack the resources and education around the risks. While many organizations will claim to have a cybersecurity program in place, this is usually minimal and little is done to ensure attendance and engagement. Unfortunately, keeping cyber security on the backburner hurts both the company and its employees. Before long, one employee may open a phishing email and cause a data breach, damaging the company’s reputation and finances as they try to rectify things.
It’s no secret that the threat is out there and it does more damage trying to act like your organization is 100% secure. Instead, keeping employees aware and up to date with cyber threats that may affect your organization ensures cyber awareness is kept at the forefront while they go about their day, helping to reduce their contribution to the risk. Emphasizing the importance of each and every employee in minimizing risk for the business will help to encourage your workforce to take things more seriously, with the hope that they will be able to see the cause and effect of their actions online at work.
2. Introduce it early on
Making cyber security vigilance a part of an employee’s onboarding demonstrates from the off how important cyber security is to your organization and sends a clear message that your employees are valued contributors towards that security.
It’s also a good idea to introduce security policies as a way of communicating your expectations to employees and painting a picture of your organization’s approach to cyber security. Many recognized security standards will even require formal documentation of your various security arrangements. Each onboarded employee can then review the policies as part of their training and refer to them periodically.
3. Start with basics
Don’t assume your employees know a huge amount about cyber security. It’s important not to overwhelm them with techie jargon, but rather keep a focus on the areas that will have the biggest impact on the security of your organization and communicate these in plain English.
Some of the most crucial areas for cyber security awareness and the biggest causes of cyber-attack are things like poor passwords and using your device in an unsafe way. In 2019 alone, 80% of hacking related breaches were reportedly linked to passwords and stolen credentials, showing just how important secure password management is, and this rests largely in the hands of employees.
4. Hold regular security awareness training sessions
These don’t have to be arduous and boring and can be a good way of bringing teams together, introducing an element of interactivity. Fun themes and activities can liven up what could otherwise be seen as a dull IT session - get creative with games like ‘who can write the best phishing email?’ and then get participants to identify the common signs of phishing.
Phishing is an important attack to be aware of and tricks many unsuspecting employees on a daily basis. A lot of security training companies offer phishing simulations, designed to test employees on their cyber vigilance by seeing if they interact with a fake phishing email. This can be a good way of implementing ongoing cyber training, teaching employees to always be on their guard.
It’s especially important to include remote working employees in these training sessions as cyber awareness can often be even patchier within a home environment. We feel more comfortable and may be more likely to miss a suspicious looking email or use data in unsecure ways, favoring convenience over security best practice.
5. Show your employees how they might be impacted by a cyber attack
It isn’t recommended to rely on fear mongering techniques, but it’s important for employees to realize that if your organization got attacked, there could well be repercussions and inconveniences affecting them:
- Operational downtime: Often cyber-attacks will cause outages, preventing your employees’ from accessing important data and getting their work done. This could set back deadlines and cause a lot of frustration within the organization.
- Employee data compromised: Once part of a company, employees will have their data held within the company’s systems, so if hit by an attack, their data may be among that which is compromised, stolen or tampered with.
- Damage to reputation: Employees represent a company, so when that company has earnt a bad reputation because of a cyber-attack, this can adversely affect your employees’ own relationships with customers and partners.
6. Encourage employees to look out for vulnerabilities
Your workforce can be a powerful asset for identifying threats, as they will use your organization’s network and systems every day. Incentivizing this kind of awareness will help encourage employees to report any suspicious finds and could prevent a serious attack.
Employees should also be encouraged to report their own mistakes, as often this can be the cause of a breach. For example, clicking a malicious link in an email might trigger malware to be downloaded and allow hackers to access company data. Although an employee may feel hugely guilty and embarrassed, making sure you create a safe space for employees to report incidents like this will mean you can get on top of the issue as soon as possible, helping to keep damage to a minimum.
Encouraging your workforce to be vigilant about cyber security makes a massive contribution towards keeping your cyber risk low, but it is not a case of simply giving a lecture about cyber security every now and again and hoping it sticks. Just as with any cyber security strategy, keeping your employees engaged and committed to being cyber secure requires regular monitoring and reinforcement. Organizations need to cultivate and maintain a culture of cyber awareness, help employees to understand the risks, and periodically review strategies, processes and policies to give employees all the resources they need to support a secure working environment.
About the Author: Clive Madders is Chief Technical Officer and Assessor at Cyber Tec Security. With over 25 years’ experience in the industry, Clive has built up an extensive repertoire as an Enterprise Solution Architect, delivering managed ICT support services, Cyber Essentials certifications and advanced security solutions to help improve the cyber security maturity of businesses across the UK.