In a world where 90% of cyber attacks utilize social engineering to exploit human weakness and bring about errors in judgment, it makes sense that beefing up the security skills of computer users would decrease cyber criminal success. Secure behavior can be taught yet many organizations still struggle with getting everyone to understand their responsibility for security. This has executives who are tasked with managing cyber risk asking themselves – how can we get people to care more about cybersecurity?
Can you really make someone care about anything? How do you get your kids to care about doing their homework? How do you get people to care about driving safely? How do you get people to care about exercising or eating healthy? Ultimately, you don’t have the power to make people care, but you can create an environment that not only teaches but reinforces and rewards the behaviors you want.
Build a Cybersecurity Culture
Recognizing that you’re evolving a culture and not just implementing a set of practices is the first step in making security a guiding force in everything your people do. To build a culture you need to have goals. Employees need to understand what you expect of them and have access to the training and support that will allow them to meet those expectations.
Secure practices need to become routine and not viewed as inconveniences. With enough repetition and reinforcement, secure routines become habits. When security becomes a habit, then you know that it’s ingrained in your culture. So how do you get to that point? Every organization is different, but here are some ideas to get you started.
1. Understand What’s at Stake
Employees might not ever realize why security should be a priority if they don’t know how the repercussions of a cyber attack would affect the company as well as themselves personally. Answer the “What’s in it for me?” question as it pertains to a data breach by painting a picture of what actually happens when there’s a data breach.
“Our operations will be down. We won’t be able to serve customers. We’ll lose revenue. We’ll have extra costs. The whole business will be stressed and not only may your job be in jeopardy, but the very existence of the organization may be at stake. Not to mention that the personal data that we store about you might be exposed.”
Helping people understand the “why” behind security is a vital building block of creating a security mindset.
2. Understand the Threats
Unless they’re in IT or compliance, your employees probably don’t know how cyber crime has grown and evolved. They might envision a young adult playing around with hacking, but they don’t know that every sole hacker has access to a whole library of software that they can purchase with a subscription. They don’t know that cyber crime is a lucrative operation of organized crime.
The tactics that the bad actors use to steal, kidnap and corrupt data have evolved as technology has evolved. They’re using Artificial Intelligence as well as good old-fashioned phone scamming to get people to do something that will allow them to punch through or bypass the layers of security that are meant to keep them locked out.
When people know that the dark web is real and that everyone is a target, it will motivate them to put up their guard.
3. Make Expectations Clear
It’s one thing to document the practices that employees should follow in your handbook and policies, and it’s another to make the behaviors stick. An annual workshop isn’t going to be enough to create consistency nor keep up with changes in the threat landscape.
If you don’t have policies for network and data access, and acceptable use of computer resources, get those documented. Then plan for how you’ll train and enforce policies. Start with onboarding and develop ongoing programs to keep security top of mind. (Remember – you’re trying to create routines that turn into habits.)
You don’t need to reinvent the wheel when it comes to cybersecurity awareness training. Companies like KnowBe4 offer affordable programs that can be customized to your company as well as to individual users.
4. Reinforce and Reward Secure Behavior
Make successful completion of training visible by thinking up incentives that speak to your people. It could be a shout-out at your company meeting or pizza when the whole department hits a milestone.
At the same time, be mindful that sometimes mistakes and errors in judgement will happen. The last thing that you want is for someone to try to hide a possible intrusion. You can flip that situation by rewarding the employee for doing the right thing when they report that something bad happened.
Make security an ongoing theme in your internal communications to bake it into everyday operations and increase visibility for the role employees play in security.
5. Consequences for Insecure Behavior
Just as you don’t want to discourage people from reporting a potential cyber attack, you also don’t want to make your policies worthless. That means that there will be occasions when employees who choose not to follow guidelines will need to be reprimanded.
If you don’t think this is necessary, just think of what would happen if there were never any consequences for failure to follow traffic laws. If nothing is enforced, pretty soon it’s a free for all and the outcome is accidents, injury, costs and even death.
Set up a system for dealing with insecure behavior so that employees know not only what is expected of them, but what they can expect for noncompliance.
Executives Lead the Way Towards Cybersecurity Literacy
You can’t make someone care about cybersecurity, but you can teach practices that can turn into habits that support your cyber risk management goals. Executives need to play a key role in keeping cybersecurity visible and participate in programs along with employees. They also need to allocate the resources that are needed to create a cybersecurity literate workforce.
First Steps Towards Building a Cybersecurity Culture
If you’ve never thought about how vital it is for everyone to understand their responsibility for security, your first step is to become better informed. Start asking questions to find out where your organization is with training and enforcement of security policies and sign up for company-wide cybersecurity awareness training that will teach employees how to recognize and respond to potential cyber attacks.
Find cybersecurity advocates within your company and enlist people who are passionate about security to participate in developing and implementing cybersecurity programs. Put security into your internal communications plan. Never stop talking about how important it is to protect people, data and networks from harm.
Managed Security from XPERTECHS
At XPERTECHS, security is woven into everything we do. We’re so committed to our clients’ security that we maintain SOC 2 compliance that provides third-party verification of our practices and procedures along with their continuous improvement. Read why SOC 2 Compliant Managed Service Companies Should Be on Your Vendor Shortlist.