Cybersecurity in the Workplace is Everyone’s Business
Teaching your employees how to recognize and prevent phishing schemes can turn your workforce into one of your best defences against cybercrime.By: Andrew Matthews
As a result of the evolving threat landscape coupled with persistent news coverage of global breaches, cybersecurity has become a priority for many organisations worldwide. The attack surface and potential exploits in any organisation has grown exponentially with the rise in remote working, the growth of cloud, BYOD, and mobile technology. Yet cyber criminals continue to successfully leverage phishing attacks, luring end users to give up private data with what appears to be legitimate information.
The Cybersecurity Threat Insights Report highlights that phishing attacks accounted for 38% of the initial access vector in all of Secureworks’ incident response engagements between 2015 and 2016. Phishing specifically exploits the human element, exploiting trusting victims to encourage them to click on malicious links or attachments. To mitigate the risk of a breach, organisations should adopt cultural shifts that prioritise cybersecurity, making it everyone’s responsibility and providing training and resources that arm individuals against these tactics. Here’s how your organization can help guard against malicious hackers who may be targeting your employees.
Make Guidelines Relatable
Your employees most likely have extensive to-do lists each day, and they are focused on making sure they accomplish their list of priorities. It can be a challenge to convince employees to prioritize strong security hygiene, like utilizing a password manager or two-factor authentication, when it can seem tedious and unnecessary. Still, we know that having employees practice strong security habits can be a huge asset to an organisation’s defence so show them why these practices are so important in ways that are relatable to their own lives. Teach your employees how activating two-factor authentication for social media accounts can reduce the risk of someone breaking into their account. If they understand why it is important for them, it will help them understand why it is important for the organisation.
Make it Relevant
While NotPetya and WannaCry were huge stories within the cybersecurity world and amongst those industries most impacted, the truth is that most unaffected individuals rarely change their behavior when it comes to security based on events like these. If you want your employees to be part of the company’s security culture, then make it relevant to them. Banking fraud and similar online habits can impact the organization, but these tactics can impact your employees directly as well. Whatever training approach you take, your employees need to be interested and feel invested in preventing the potential impacts in order to digest what you are sharing.
Make it Simple
Outside of your IT department, most of your employees don’t know much about malware, RATs, honeypots, etc. If your employees don’t understand it, you can bet they will struggle to understand what’s expected of them. Stick with the basics and make sure your guidelines are easy to digest so you have a greater chance of reaching them.
Help Them Understand Their Role
There’s often a misconception amongst nontechnical employees that cybersecurity and securing the organisation is someone else’s responsibility. They may not fully understand the risks and therefore, believe that prevention lies outside of their role. Helping people to understand how they fit into the cybsersecurity culture and how their day-to-day jobs can impact the organisation’s security strategy gives them ownership and empowers them to help reduce risk.
Make it Fun
How many meetings do people attend in a day? How many of those meetings could have been addressed with an email? People only really give you their undivided attention if they are engaged. If you want someone to be engaged, make it fun. You will reach more employees by entertaining them than by reiterating cybersecurity jargon and educating by doom and dread.
Reward Good Behaviour
Cybersecurity can be filled with fear, uncertainty and doubt. Punishing people for the wrong behaviour is ineffective. You can read some of studies conducted by psychologist B. F. Skinner , but to summarise his extensive research, positive reinforcement works more effectively than punishment in training behaviours. So when you see people doing wrong thing, inform them of why it is important, and when you see improvements in behaviour, reward them.
Keep the Message Alive
The most important thing to remember is that building a culture around cybersecurity is never one-and-done. We all must remain persistent and create ongoing resources and training that keep best practices top of mind. Highlight tips in regular newsletters, hang posters around the office, spend time on security at company meetings, and develop security champion programmes. These are just a few ways you can prevent the culture from fading into the background.
Cybersecurity is a Shared Responsibility
Creating cultural change can seem overwhelming, but the effort needed to help reduce the risk of breaches pales in comparison that which is needed once a breach occurs. Like me, my wife loves spending time online, using social media to connect with friends and the convenience of online shopping. When I started working in the cybersecurity industry, I came home and shared some of the best practices I had picked up in my new field and made sure to avoid technical jargon and more so that the best practices would stick with her too. The events we discussed were relatable and relevant to our online habits. I still share articles and white papers when I come home, and now we both practice strong personal security hygiene, including two-factor authentication and update patches without delay. It has become an ongoing part of our conversation because like with any corporate security education, keeping it top of mind helps protect us and our data.