The idea that company security relies upon the IT department or a small team of infosec professionals is outdated and dangerous. The potential attack surface of most organizations has never been larger thanks to a proliferation of devices and apps, blurring of the line between personal and work lives, and the rapid rise of remote working.
Social engineering techniques frequently trick employees at all levels of an organization into bypassing security systems. Human error is the leading cause of data breaches, responsible for 88 percent, according to Stanford University research. While a business may not accept that every employee should be part of its security efforts, there’s no doubt that threat actors see them all as potential targets.
Look at the way financial institutions have mobilized customers to verify suspicious transactions. People respond because they care, and they are often best placed to identify issues. That same logic can be applied to your cybersecurity efforts, as Nico Popp, Chief Product Officer at Forcepoint, recently pointed out to CyberWire. With a little planning and training, you can enlist everyone to nullify the specter of cyberattacks that circumvent technical safeguards.
This is a definite culture shift that requires businesses to secure buy-in from employees. It’s important to reframe security efforts and move away from employee monitoring. There must be some accountability, but punitive action is largely ineffective; it can even lead employees to avoid reporting incidents for fear of disciplinary action.
It will take time and effort, but there are clear steps you can take to foster collaboration and build a spirit of group responsibility.
The first step has to be a comprehensive program of security awareness training. People must have a good grasp of different threat scenarios and clear procedures in place to follow in the event of a suspected incident. Start with some analysis of previous data breaches and cyberattacks to determine the areas that represent the greatest risk for your business and focus early training on relevant scenarios. Security awareness training should be a regular ongoing process. Your program must evolve over time to take new developments and emerging threats into account.
Raising awareness is also about making security a part of every conversation. Whether there’s a product in development, a new third-party partner agreement, or you adopt a fresh software system, security should be considered and factored in from the beginning. When you challenge everyone to consider the impact different actions will have from a security point-of-view, the company culture will begin to shift toward security mindfulness.
Make It Fun and Engaging
Perhaps the biggest mistake organizations make with security training is to employ dry and dull materials and delivery systems. Ask employees to sit and read a long document or listen to an hour of someone talking about a security challenge that isn’t pertinent to their job role and you can expect them to mentally switch off. There’s no reason that training can’t be enjoyable, or even entertaining.
Mix up your program to include different kinds of media. Strive for interactivity wherever possible. Use mockups that align with what employees are likely to encounter on a daily basis. Try to tailor your training so that it’s relevant to specific roles and the unique challenges they face. When security incidents do occur, exploit them as learning opportunities and model good security hygiene.
Awareness alone isn’t enough; it must be backed up by clear processes and reporting tools. If you teach employees what to look for and make it easy for them to report suspicious activity, you will dramatically reduce the risk of many kinds of security incidents.
Deliver A Return On Investment
At the end of the day, the board is always looking for ROI. They want to know the resources they committed have had a positive impact. But this is also true of employees and their time and effort. To measure the effectiveness of your training you need regular testing with realistic scenarios. You also need to reward the behavior you want to see. If an employee correctly identifies a phishing attack, for example, praise them publicly and reward them with vouchers or cash.
Next to the potential cost and damage that a data breach can wreak, the cost of a good training program and reward incentives for employees is insignificant. Just the simple act of committing resources to security in this way sends a clear message about its value to the company. It is s an effective route to a strong security culture where everyone takes responsibility.
Engaging the skills of your workforce and encouraging them to think about ways to improve security could have an enormous impact. People understand their own departments and roles much better than outsiders can, so they’ll often come up with the most efficient ways to tighten security standards. Every employee has something to contribute, you just need to engage them and get them thinking about security.
About the Author
Stu Sjouwerman is founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with over 37,000 customers and more than 25 million users. KnowBe4 also offers a KCM GRC platform that provides ready-made templates for quick compliance evaluations and reporting. Sjouwerman was previously co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at firstname.lastname@example.org.