How to Get Your Employees to Take Cybersecurity Seriously
Hackers and cybercriminals from outside of your company will always present a risk. Whether they are targeting your company specifically, or their unauthorized access of your network is merely a crime of opportunity, it’s important to protect from intrusions coming from the outside.
That being said, multiple studies indicate that employees actually present the greatest risk to corporate cybersecurity, far more so than outside threats, for several reasons. First, they often create openings that hackers use to gain access, usually by accidentally opening an email or clicking a link leading to a malware infection. Employees are also more prone to behaviors that create risk, such as not following password protocols, sending unencrypted company data via unsecured email, or downloading applications that haven’t been fully vetted and approved. Finally, there is always the risk of a disgruntled employee deliberately creating a security risk to “punish” their employer or secure financial gain.
Although the vast majority of cybersecurity incidents involving employees are unintentional, they are still costly and harmful to your business. And unfortunately, most employees either don’t think that what they were doing is a problem, or that they assume that IT has everything covered, so they don’t need to worry about it.
This blasé attitude toward cybersecurity has many experts scrambling to keep their company networks secure while still maintaining productivity. Many ask the same question: How can we get employees to take security seriously, and stop making mistakes that jeopardize the company networks? As it turns out, there are several ways you can build a stronger security culture and keep your networks safe.
Training, Training, and More TrainingWhen new employees join your organization, how are they trained in cybersecurity? If your company is like most, employees are probably directed to read the employee handbook to learn the rules and regulations, and might even get a short presentation by the IT department about what is and isn’t allowed. And then they are sent off to fend for themselves, without any follow up.
The thing is, cybersecurity training isn’t a “one and done” proposition, and it certainly cannot be addressed in a few paragraphs in the handbook or a short PowerPoint. To truly create a culture of security, employees need to be thoroughly trained in your protocols, and then receive refresher training at regular intervals. They should receive regular security updates, highlighting new risks and reminders about what does and does not constitute acceptable use of company resources.
All of this training should also incorporate a testing component to confirm that employees understand the risks and proper procedures. For example, many agencies run phishing tests designed to test employees’ ability to identify dangerous emails and how they respond to them. By testing employees’ security know-how, it’s easy to identify gaps in your training and improve their ability to avoid trouble.
Password ManagementCompanies that lack a comprehensive password management program also tend to have difficulties with employee compliance. When employees are allowed to re-use passwords, are never required to change them, and keep track of them using scraps of paper, there’s a high potential for things to go wrong. Implementing a password management strategy based on best practices (regular updates, minimum length, etc.) and using a product like Trend Micro Password Software Manager to help create and store secure passwords can help keep passwords safe, and show employees that they need to take security seriously.
Restrictions and ToolsOften, employees don’t seem to take security seriously because the protocols that are in place make it difficult to stay productive, so they come up with their own workarounds. It’s also common for employees to develop their own solutions because another, more secure option isn’t available; for example, they email documents to their personal email addresses to work at home because there isn’t a more secure option.
The most secure businesses are those in which IT security works with employees to find ways that they can do their work in the most secure way possible. This might mean switching to a more user-friendly calendar application, for example, or developing a cloud-based storage solution for the secure transfer of data. It might mean developing a plan for BYOD that allows people to use approved devices for work, instead of doing so on the sly and without proper protections. The idea is for everyone to work together, to build respect and a more solid understanding of security requirements.
Above all, though, the best way to ensure that employees take cybersecurity seriously is for management and IT to take it seriously. This means developing a strict policy, with enforced consequences for noncompliance. When employees understand that not adhering to the rules leads to serious consequences — including termination — the chances of compliance increase significantly.