Your employees are one of the biggest risk factors when it comes to your business and cybersecurity. You can lecture them, make them take online tests, even install software on their machines, but one rogue click on a phishing email could cost your business dearly. The answer: build a robust cybersecurity awareness culture to keep your business safe.
When was the last time you inspired your employees about cybersecurity?
You might’ve given a presentation, or delivered a series of online tests for people who, most probably, didn’t pay it their full attention. Ask yourself, if you said “cybersecurity awareness session,” would employees A: be excited and engaged, B: see it as a chance to switch off, or C: be more worried about pressing deadlines to pay full attention? If you answered A, well done – you’re already building a cyber-aware organization. If you answered B or C, you need to change the dynamic from one-off training to a more embedded cultural of cyber-awareness.
Culture, not lectures
I worked at a firm years ago, one of their biggest rules: the phone never rings a fourth time. So for every member of staff, as soon as we stepped into that office, we knew the drill. And nobody had to teach new members of staff to do it – they could see for themselves what was expected of them. We just did it instinctively. It was part of our culture which became a habit.
Strong cybersecurity cultures aren’t built on one-off lectures about how dangerous the cyber-world is, they are built on engagement and habit.
Think of cybersecurity best practice like clearing out your cupboards – you do it once, but inevitably you’ll need to repeat it on a regular basis. Or to get more specific, it’s like putting anti-virus software on a computer and never updating it. Strong cybersecurity cultures aren’t built on one-off lectures about how dangerous the cyber-world is, they’re built on engagement and habit.
How to engage your employees and protect your business
Firstly, if you have the funds, invest in IT talent. By appointing someone who’s in charge of protecting your business, monitoring threats and educating your staff, your business will be better equipped to deal with cyberattacks. And make sure your IT teams have the training in threat intelligence and the right technologies in hand to spot and act on threats.
But what if you’re a small medium-sized businesses (SMB) with limited resources, and perhaps none or few dedicated IT specialists? Think bite-sized: small, but frequent. As you build momentum in the office, people will become more aware of what you’re trying to do.
For example, a poster with five ways to stay cyber-safe will catch people’s eyes if you put it somewhere public, like the kitchen sink – next to your other safety at work signs. Or think about your procedures. As spear phishing emails – in which hackers assume the identity of a member of your staff – become more prevalent in targeted attacks. Giving multiple people the responsibility to sign off financial transactions, could stop identity thieves in their tracks. Rewarding colleagues and employees can go a long way too. Who has reported the most phishing emails, for example? A gift voucher prize should keep everyone keen to report them.
And while you’re at it, encourage other more security awareness practises in the workplace, like questioning when unknown people are in the building, and avoiding digital clutter like confidential information on the printer or unsecured data sticks.
Ultimately, the most effective way to build a better cybersecurity culture is regularity. My top tip: run short activities often – lessons, tests, simulations, even treasure hunts or a meeting room transformed into a ‘cyber-escape room’ for the day. Frequently give employees a digestible amount of information. They’ll get small enough bites of information to integrate into their daily work while building a foundation for a strong cybersecurity culture. The result? Stronger protection for your business.
For more tips on security awareness and workplace cybersecurity best practise, read an interview with Barton Jokinen, Kaspersky’s Head of Information Security and Compliance for the Americas.