10 ways to get employees invested in cyber security awareness training
Cyber attacks are growing. Here's how to get employees on board with cyber security
With most of the world having now gone through a full year of remote working, our understanding of cyber security should, in theory, be much better. But to paraphrase Spider-man's uncle Ben, with greater use of digital technologies comes great responsibility.
However, many of us are just doing the best we can. According to research from information security firm SafeNet, only 45% of senior managers have been issued with security advice. That has left around 30% claiming there was no best practice advice available, and 25% were not even sure it existed in their company.
The issue is troubling because not only do 90% of workers wish to remain remote, cyber security attacks continue to rise. High-risk email threats increased by 32% last year compared to 2019, a Trend Micro report suggested, with detections of malware, credential theft, and phishing emails all recording double-digit year-on-year increases.
This is without mentioning increases in the use of ransomware and the chaos it caused to hospitals, universities and many top businesses around the world. If you're reading this and you aren't slightly concerned, you must be very confident that your team know all about cyber security best practices, or else you are extremely naive.
If it is the latter, fear not, because IT Pro has 10 tops tips to get your employees on board with cyber security.
1. Get buy-in from the top
Like it or not, you have to start here. Any cyber security plan is going to cost the company money. From antivirus software to the personnel hours it will take to properly train people, cyber security is a significant expense.
To get the bosses on board, you need to justify the expenses. Some statistics worth noting:
- On average, hackers attack every 39 seconds
- The average cost of a data breach to a retail business in 2019 was $6.4 million
- Other business sectors like healthcare, technology and education were higher
- 94% of malware is delivered by email
- 43% of breaches involved small businesses
Once you convince the powers that be that paying upfront for solid cybers ecurity is much more affordable than the consequences of not doing so, you’re ready to start implementing your security plan.
2. Get to them early
Just like it’s easier to teach children than adults, it’s easier to get new employees on board than it is to train existing employees. Establish a solid cyber security training plan for new employees and get with your human resources team to make it a standard part of the onboarding process.
By showing new hires a solid plan and letting them know how serious your company is about cyber security, you can get them started on the right foot before they develop any bad habits that could lead to a breach.
3. Make it real
For many employees, the idea of cyber security is something that is handled by another department and doesn’t affect them. Changing this mindset isn’t easy, but it’s possible.
The first thing you need to do is to make it real for them. Make it personal. Help them understand what could happen if there was a data breach at your company. How much money would the company lose? Would that lead to lost jobs? Would bonuses go out the window?
Once they understand how a breach would actually affect them, they’ll likely take it a lot more seriously.
The next step is to teach them their role in the plan. Cyber security isn’t something the IT department can do alone. Again, make it personal. What about their specific job leaves them vulnerable to attack? They’re more likely to buy into cybersecurity if they understand their role in it.
4. Break it down
Don’t bombard employees with packets of information or a three-hour session on cyber security. It’s too much all at once.
Imagine standing against a wall. Someone stands 10 feet away from you and says, “I want you to catch five of these 10 balls,” then he throws all 10 of them at you at once. If you’re lucky, you might catch one ball.
If that same person throws them to you one at a time, you may catch every single one.
That’s how you should deliver your cybersecurity training. Yes, it may take more man-hours, but if you can teach them one important step at a time, there’s a much better chance they’ll understand it and appreciate it’s significance.
5. Provide continued training and simulations
Once an employee has gone through cyber security training, they’re good, right?
Maybe for right now, but training needs to be repeated and updated as technology changes. These updates should happen more than just once per year.
Develop a plan to have quarterly security training or a least hold training a couple of times per year to keep it fresh on employees’ minds and keep their information up to date.
6. Develop accountability
One of the difficult factors in establishing a cyber security plan at any company is the mentality that it’s the IT team’s responsibility to keep things safe.
OK, IT almost plays the role of the head coach in the cyber security game. Like the coach, the IT department can design the gameplan, but it needs the players on the field to execute that gameplan to get results.
When you train each employee, make sure they know what’s expected of them when it comes to protecting their passwords, avoiding suspicious emails, etc. Also, let them know what’s at stake for them. If they know they’ll be held accountable for their part of the program, they’re a lot more likely to get on board.
7. Using VPNs reduces pressure on them
More employees are working remotely than ever before, and that number is sure to rise in the coming years. This means it’s essential to have a virtual private network in place. A solid VPN is a simple way to protect information passing between employees when they are logged in outside the office.
How does this help employees get on board with your security program? It takes a lot of bad choices out of their hands.
If they have to log in with a VPN, you eliminate the risk of them using unsecured networks, logging into suspicious sites and many other high-risk behaviors.
8. Reward them for diligence
People like rewards, even if it’s for doing what they should be doing anyway.
When you budget your cyber security program, include a slush fund for prizes like gift cards or even cash. Then, set up a program where employees who report malicious emails, pass random tests or consistently change their passwords receive prizes for their diligence.
This type of positive reinforcement is sure to get employees on board with your cybersecurity program.
9. Be good cops, not bad cops
A part of cyber security involves monitoring web activity among employees -- that’s just a fact. However, it’s pretty common for employees to think you’re watching their every move and ready to tell the boss if they take two minutes to check last night’s NBA scores.
Be upfront and honest about how and why you monitor employee’s web time. Let them know you’re all on the same side and there is good reason for what you do. Being nosy isn’t one of the reasons.
10. Be available and friendly
Sometimes the IT department becomes rarely seen unless desperately needed. When that happens, people tend not to call on IT until things have gotten way out of hand.
Be proactive and get to know people. Be friendly and let them know you and your team are there for anything they need help with or any questions, no matter how basic.
If you become a known face and a friendly helper, folks around the office are more likely to feel comfortable reporting something suspicious.
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download