How to Instill Cybersecurity Awareness in the Workplace
In this article
Five ways to educate your workforce on cybersecurity and create awareness throughout your enterprise
When a data breach occurs (and we all know they do—September 2017 was a testament to that), we typically hear of the repercussions administered to the C-suite level of the organization. But what about everyone else? One individual isn't responsible for the cybersecurity health of the whole organization.
Cybersecurity in the workplace is everyone's job.
In order to help combat these data breaches, a comprehensive cybersecurity awareness program is paramount.
The first step toward creating a successful cybersecurity awareness program is to recognize that this is not a project with a defined timeline and an expected completion date.
Instead, this initiative should foster cybersecurity consciousness in the company culture and throughout the organization. This requires constant education and vigilance.
Typically, the most effective programs are those that educate users upon initial hire and every quarter that follows. This training should educate all users, especially those at the executive level who are considered high-value targets.
A mature program should also be shaped by a keen understanding of the organization's culture. This will not only help set the tone for the material but will be informative for coaching and guiding individuals to change their cybersecurity competence and behavior.
Some companies are highly collaborative and embrace an open atmosphere where workers share ideas and contribute to initiatives and managers encourage teamwork, participation and accountability. Some organizations are authoritarian, with leaders dictating participation without considering the experience and input of stakeholders. The later struggles with the adoption of cybersecurity awareness and raises the risk of a breach.
For most organizations, awareness training is done infrequent and is stale. Most people candidly forget the majority of what is presented in a cybersecurity training program because it fails to leverage a variety of media techniques, content styles and is probably only happening once a year.
Kick the cadence up to three or four times a year and allow program managers to take creative liberties with the content to better suit their audiences and demographics. Remember what works for one group may not work for another. Consider visuals (whiteboards, videos and ideation), use conversational auditory engagement about the subject matter and try role-playing certain concepts so students can move around and engage with each other.
A recent report from Gartner and Cybersecurity Ventures even backs up the notion of organizations using a multi-pronged approach for cybersecurity awareness programs. They estimate an employee's cybersecurity competency will increase 40 percent by 2020 based on using different program tactics. It also goes on to say that awareness training is the most underspent sector of cybersecurity, but will be worth $10 billion in 10 years.
I have said it for years and will continue to say it:
Have you ever considered creating a cybersecurity champions program? This is a great method for creating collaborative teams inclusive of all roles and geographies across the organization. I suggest obtaining executive buy-in for this type of program and aligning the program directly with business objectives. This will not only help ensure success from the beginning but also gives you a scalable, dispersed team of knowledgeable employees focused on reinforcing key cybersecurity messages.
Attackers are learning new and creative ways to fool you into handing over your most precious data. Whether it's corporate email, social media platforms or a phone call, your employees need to be alert.
For any service you use, take advantage of any two-step verification that is provided. With this turned on, a user enters their login ID and password and then the app texts them a code. The only way to gain access is by entering that final code. This is simple and brilliant, but not too many people know these features exist or utilize them.
Email phishing is a scam typically carried out by making unsolicited emails appear to originate from legitimate sources. Attackers prey on unsuspecting victims, seeking to elicit personal and financial information. For an organization, these fraudulent emails pose a considerable security risk, as the embedded links they contain can become conduits for the installation of malware on corporate assets. Once an attacker has established a permanent presence on the corporate network, further exploits can occur, including exfiltration of sensitive data or destructive activities that can negatively impact business operations.
A ringing mobile phone is difficult to ignore, even more so when the calling number is one easily recognized. While fraudulent emails can be manually deleted or filtered out by an email security gateway, fraudulent telephone calls are more difficult to stop. Since telephone calls are still considered a "secure" form of communication, voice phishing scams ("vishing") take advantage of human susceptibility to steal credentials and other sensitive information.
Here's an example of how one of these calls may go:
Criminal: Good morning, Sally, this is Johnny badge number 12345 from the internal IT support team. We are noticing that your computer is sending a lot of data traffic and suspect that your account may be compromised. When was the last time you changed your password?
Employee: Um…not sure I think like two months ago?
Criminal: Is this a password that you have used before?
Employee: Yes, I use it whenever I can. Is that bad?
Criminal: We are opening a ticket for your case and sending a technician down to look at your machine. They will probably need it for a couple of hours so we will give you a loaner machine. Can you tell me your current password so that we can change it and send your new password with the technician when they arrive?
Employee: Sure, it is AppleCart1.
Criminal: Ok, thank you and I am so sorry for the inconvenience.
Employee: No, thank you for your time and effort. We are in scary times right now.
Criminal: We sure are, but you are in good hands.
Speaking of passwords. Train your employees to not only use strong passwords but to use different ones for different accounts. The password should be hard to crack but easy to remember, like I82much4dinner!!.
Your employees should also be performing regular backups. If your IT department doesn't have a centralized backup location for data, train employees how to back up their work and where it should be saved. Even if a breach doesn't occur, they'll thank you when their hardware crashes and they think all their work is lost.
Remote-working and bring your own device trends are here to stay. Instead of limiting what your employees can do and use, encourage your IT team to find ways to integrate some of these trends into your cybersecurity approach. For instance, to help those who want to use their own devices, invest in a mobile device management program for employees to enroll in. This will ensure devices for business are properly encrypted and using approved applications. This will also allow you to set restrictions for the device's camera, sharing between apps and syncing with unknown devices and networks to help prevent data loss.
In today's world, breaches happen. There may not be a cure for it, but one thing is for sure, awareness training can help bring cybersecurity to the forefront of your business strategy, strengthen your security posture and make everyone a defender of your organization.