We all know the drill.
Once a year we are required to take part in annual cybersecurity training. After an hour or so of plodding through technical jargon, we hit submit. Whew, that’s done…
But how much do you remember from that training a month later? Six months later? Did it leave you feeling empowered and engaged? No?
You’re not alone. And that’s a big problem.
Data breaches are a costly threat to any type of organization.
“How well could your company recover from millions of dollars in damages?” asks James Barker, PhD, an adjunct faculty member in the School of Business and Technology at Capella University. “Think of a small to mid-size business. A financial impact on that scale could be devastating. The reality is many data breaches are the result of employees being lax. If you fall for a phishing email and click on a link with malicious code, you could put your company out of business.”
So how can organizations avoid that fate? How can they build a culture of cybersecurity where every employee feels not only informed as to the threats but keeps those threats front-of-mind every day and is empowered to do something about them? Barker offers the following suggestions.
1. Share the successes.
The issue with many cybersecurity training programs is that the focus is on prevention, and little is communicated regarding results and successes. In other words, employees are instructed on how to prevent cyberattacks, but there is scant follow up regarding how their diligence is paying off.
“Typically, cybersecurity is something that is done in the background of an organization without a lot of visibility,” Barker explains. “Many cybersecurity professionals like it that way because they think if they share the details of their work, they are exposing themselves to more potential threats. That is a limited way of thinking.”
Instead, Barker advocates for sharing easily digestible, highly visual reports to all staff on a regular basis that show the volume of attacks, the types of attacks, and how they were stopped.
“Employees should be aware not only that their organization is being attacked, but also how those attacks are happening and being defeated,” Barker says. “Doing so creates awareness, but also a sense of ownership and pride in how employees are protecting the organization.”
2. Keep it simple and constant.
“The general assumption that many companies cling to is that if you train employees once a year, they will retain that information; that’s a false assumption,” Barker says. “Even if you are in compliance with certain regulations, it’s still likely not sufficient.”
Rather, Barker recommends distilling cybersecurity best practices into daily or weekly tips that are communicated to all employees via text, email, intranet – any channel that employees are familiar with and can access easily.
“Organizations need to do whatever they can to stress that cybersecurity is something employees need to think about all the time, not just once a year during mandatory training,” Barker says.
3. Don’t create paranoia.
With cybersecurity, there is the risk of creating a paranoid workforce that is afraid to open any email or send anything digitally. Obviously, that won’t work. According to Barker, a core component of creating a culture of cybersecurity is to highlight the robust systems and teams an organization has in place to identify and deter cyberattacks. In other words, employees need to know they are not alone in the fight.
“You don’t want employees terrified to touch their computers,” Barker emphasizes. “They need to know that there are expert staff and complex infrastructure behind the scenes. As employees, they are really an extra line of defense at the computing endpoint. You want a healthy level of awareness to the threats, but not paralysis.”
Barker adds that employees should feel empowered to speak up when something looks phishy (pun intended). There can be no risk of retribution or shaming if they are wrong.
“When it doubt, call it out,” Barker says. “Employees need to know whom to contact and how to report something that doesn’t seem right. It needs to be easy and obvious and readily available. When appropriate, they should be rewarded for speaking up.”
4. Offer the carrot over the stick.
What does that reward for cyber vigilance look like?
“It’s about the carrot instead of the stick,” Barker says. “Incentivizing employees for identifying and protecting against attacks could come in the form of gift cards or paid time off. The point is to celebrate those successes and shine a light on vigilant defenders. Yes, you have to be wary of people abusing rewards like bug bounties (where you get rewarded for finding a bug that you created), but for the vast majority of employees, their hearts will be in the right place.”
What about when someone lets their guard down and exposes the organization to a cyberattack? What should happen to that person?
“Most people are well-intentioned, but they may be stressed or in a hurry, and that’s when the risk is at its greatest,” Barker says. “Take the seriousness of the infraction into account, but don’t publicly ostracize an employee for making a mistake. Use it as a teaching opportunity.”
In conclusion, Barker stresses that employees are the most important safeguard against cyberattacks. “The threat of cyberattacks needs to always be running in the back of our heads,” he advises. “Just like when you get in your car you put on your seatbelt. It should be automatic. It’s about doing the right thing when no one is looking.”
Learn how to create a culture of cybersecurity with an online degree in information assurance and cybersecurity from Capella University.