10 Tips on Creating Cyber Security Awareness within your Organization
Your employees pose the greatest threat to your company’s security, but how can you change that?
"If we look at security breaches over the last five to seven years, it's pretty clear that people, whether it's through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities," - Eddie Schwartz, chair of ISACA's Cyber Security Advisory Council.
Most companies roll out security training to their staff once a year if at all. Some companies are opting to give security training only to their new hires. As we’ve seen in many businesses, this practice is no longer working. Security training needs to be more than a check box on an annual to-do list.
Instead, we should be treating our security training like we would our technology; constant updates and monitoring to make sure that our systems are running at their optimal capacity. Companies should be consistently updating their employees on the latest security vulnerabilities and training them on how to recognize and avoid them.
Your employees are your greatest assets and you need to invest in them continually. There will always be vulnerability, but if you continually work with your staff to recognize and identify risk- it will build a culture of security awareness.
Here are 10 tips for helping all employees understand cyber risk and best practices:
1. Have a Plan
Technical teams should develop a formal, documented plan or for cyber security training that is reviewed and updated often with the latest information on attack vectors and other risks.
2. Get Buy-In from the Top
Ransomware is a Billion-dollar industry - in fact, this year alone it’s estimated that Ransomware attacks will cost businesses $11.5 Billion and there will be an attack every 14 seconds. The CISO, CIO, or Sr. IT Leadership team needs to make the rest of the C-suite aware of the ramifications of a potential breach. To have a good cyber security plan typically you need to have line items in your IT Roadmap for people, hardware or software. That means getting the buy-in from the CEO, CFO, or CIO.
Give your staff a clear channel of communication, such as an emergency number, to alert your administrator to any suspicious emails or unusual activity, or for reporting a lost or compromised devices – even if it turns out to be a false alarm. Some cyber-attacks are preceded by a seemingly innocent work-related phone call, perhaps from a vendor or service provider trying to establish passwords or security codes, don't overlook the significance of such calls as a precursor to cyber-crime.
If an attack or breach does occur, give everyone a timely heads-up to limit the impact of the attack. Ensure you have an internal communications plan and PR strategy in place should the worst happen so your teams are equipped to field questions and reassure concerned customers, partners, or investors.
4. Start During the On-Boarding Process
A new hire’s first few days and weeks can be challenging. With learning job duties, administrative tasks, meeting co-workers and a dozen other pressing tasks vying for attention, you may be tempted to put security on the back burner. Don’t. The on-boarding process is critical in setting expectations. Establish specific guidelines for your new hires when browsing the internet, setting, updating, and protecting their passwords, and smart USB device procedures. If you put cyber security on the back burner, don’t be surprised if your employees follow suit.
5. Consider performing "live fire" training exercises
Some of the best training today is "live fire" training, in which the users undergo a simulated attack specific to their job, Schwartz said.
"Maybe they become a victim to an attack that's actually orchestrated by a security department or an outside vendor, and then they're asked to understand the lessons they've learned from that attack, and the implications on the business, on their personal lives and how they could have prevented it," Schwartz said. "And then they're asked to share that experience with their peer group." This exercise helps employees to understand the consequences and business impact that even one security breach can have.
Don’t be afraid to conduct on-going evaluations of both employees and systems to uncover how susceptible your company is to attack. Until you evaluate-you can’t be sure what your current security posture looks like. Use these evaluations like report cards for your business security vulnerability.
7. Offer continuous training
Cyber-security training should continue throughout the year, at all levels of the organization and be specific to each employee's role within the organization. If it’s an end-user- then perhaps focus your training on types of phishing attacks they may receive via email. If it’s your technical department, perhaps the attacks are more technical in nature. The important part is to understand the threat landscape is ever-changing and evolving. Keeping the technical security training current and relevant is key to preventing breaches.
8. Stress the importance of security at work and at home
Tech leaders should help employees understand the importance of cyber hygiene not just in the workplace, but also at home. According to Norton, Identity theft affected 60 million people last year alone. Teaching the importance of privacy and security beyond their workplace can have a big impact on gaining buy-in from employees. Because cyber risk doesn’t end when an employee leaves the office - best practices can and should be carried over into their personal lives.
9. Reward employees
Look for opportunities to celebrate success. When someone goes through the mandatory on-going security awareness program and completes it successfully- recognize their efforts with a public display or perhaps even a reward. Consider a simple cash reward of $50, this is a huge motivator for people and will cause them to remember the security lesson that provided the money. They also will be quick to tell five co-workers they received cash for learning, and those five will jump into the training quickly. If you are shuddering at the idea of giving away $$ to employees- consider the cost of a security breach on your business ($2.2 million dollars on average per attach just to SMBs owners) source: Ponemon Institute.
The other side of reward is security advancement. Provide opportunities for team members to grow into a dedicated security role through career advancement. If you are saying security is an important part of your business, prove it by providing growth potential for those with a passion for security.
The final step is to provide an opportunity to earn paid education and certifications in security. This is especially important for your technical team. Many online universities offer security certifications such as; CEH, CISSP, and CISM. If your employees can’t find the time for after-hours courses, set up a training program they can complete during work hours.
10. Building a Culture of Cyber security Awareness
An organization’s security culture requires care and feeding. It is not something that grows in a positive way without constant work. You must invest in a security culture. A sustainable security culture is bigger than just a single event. When a security culture is sustainable, it transforms security from a one-time event into a life-cycle that generates security returns forever.
To build a sustainable security culture you must focus on four main features. First, make sure it is deliberate and disruptive. The primary goal of a security culture is to foster change and better security, so it must be disruptive to the organization and deliberate with a set of actions to foster change. Second, make sure that it is engaging and fun. People want to participate in a security culture that is enjoyable and challenging. Third, make sure it’s rewarding. For people to invest their time and effort, they need to understand what they will get in return. Fourth, provide a return on investment. The reason anyone does security is to improve an offering and lower vulnerabilities.
A strong security culture not only interacts with the day-to-day processes and procedures, but also defines how security influences the products and services you sell. A sustainable security culture is persistent. It is not a once-a-year event but embedded in everything you do.
While there's no foolproof method to protect your business, educating your employees about security threats and best practices for online behavior and privacy can at least reduce the likelihood of a breach caused by human error.