Focus on Benefit
Do you think of security as a benefit? Do your employees? In a cybersecurity culture, the answer should be a resounding “YES!” to both of these questions.
We have all experienced the dreaded “annual training” requirements of a job—boring, disconnected content served up in a boring environment. If this is your employees’ attitude in relation to your cybersecurity training, you may have won the battle of checking off that employees have been trained, but lost the war of building a secure organization. What can you do to change this?
Use breakthrough internal marketing campaigns to nurture the attitude that security enables other goals. Your messages should be focus on the benefits of strong security—such as boosting organizational reputation and allowing work from home—not the sacrifices. At the same time, take conscious steps to minimize the burden of compliance on employees.
Extend security awareness beyond the workplace, to home and family. By helping employees address personal cybersecurity concerns, you are building good habits and a “security mindset” that will also benefit the workplace.
Calculate the full cost of compliance for your organization, including your employees’ time, annoyance, and effort. And once you know the real cost of compliance, minimize it! Research indicates that the more employees perceive compliance as costing the organization, the less likely they are to comply. One means of reducing costs is to automate security wherever possible, such as using Multi-Factor Authentication (MFA) and applying the Principle of Least Privilege (PoLP) when applying access controls. Automating controls can help alleviate the costs of compliance and integrate security practices into workflows almost imperceptibly.
Build Knowledge
Do your employees have comprehensive knowledge of your company’s cybersecurity systems and their role in your strategy? They should.
Occasional emails about new risks are not enough. Once a year compliance training is not enough. Your cybersecurity training should be as robust as your safety and ethics training programs.
- You must communicate to employees the organization’s cybersecurity and compliance standards, as well as best practices and expectations. If you do not, you cannot properly measure compliance, nor hold employees accountable for their actions. All employees should have ready access to policies, resources, and information from a knowledge base, hotline, or their managers.
- You can support depth of knowledge through rigorous training, close supervision, periodic monitoring, testing, and simulations. Although Intensive training and monitoring may be perceived as expensive in terms of money and time, it only takes one untrained person to cause a breach.
- Building that knowledge will pay off in employees who recognize and report anomalies. A clear understanding of normal security operating procedures allows employees to quickly catch when something (or someone) is out of place. This is true for as simple a scenario as an employee finding a door to a secured area propped open and notifying security, to your web master noticing suspicious code on a web page and researching the source.
Develop a Questioning Attitude (Don’t know? Not sure? Ask!)
Do your people refrain from intentionally violating protocol and immediately self-report mistakes? If not, why not?
People make mistakes. Whether consciously or carelessly, your employees will break protocols and shortcut procedures. In a 2018 study from Shredi-it, it was found “one-third of working adults in the U.S. admitting to potentially risky behavior at work”. This is a security risk that can be mitigated by encouraging employees to develop a questioning attitude.
- You can support integrity by eliminating the fear of honesty and increasing the consequences of dishonesty. Encourage employees to report innocent mistakes. An inadvertent click in a suspicious email should be reported without fear of censure.
- Treat unintentional, occasional errors as learning opportunities, but give no second chances for intentional violations. When there are no second chances for intentional violations or dishonesty, workers are less likely to take shortcuts and more likely to report errors right away.
- Ensure your company has a simple reporting mechanism that is quickly and easily accessible by all employees, and that performance policies explicitly support integrity in relation to cyber security.
Identify Champions
Quick, can you name five people in your organization who are rock stars when it comes to cybersecurity? Why aren’t you tapping into their potential as leaders?
Relationships matter in any culture, including cybersecurity. Relationships with supervisors, colleagues, and top managers affects compliance with security policies. These relationships increase personal connections to work, therefore enhancing motivation.
Starting a “Champions Program” for cybersecurity will help to encourage positive, trusting relationships that enhance your organization’s cybersecurity readiness. Open, regular communication about strategy, goals, performance, and challenges can help cultivate relationships and enhance belief in the importance and effectiveness of cyber security policies.
- Executive support is essential for the success of a security champions program. Identify and document a phased-approach business case (with adequate funding) and present it to those at the top. Emphasize the connection of the program to core business objectives.
- A champions program must be organization-wide. The program should have contacts for each role and location in the company. These should be colleagues who understand the role of the employee, but also the challenges of executing that role securely.
- Determining who will be your security champions in an organization should fit the ethos of your company. Frame the program as an employee development and growth opportunity based in peer networking. One method is to use a nominations-based approach (manager, peer, or self) for identifying participants.
- Champions should first be trained in cybersecurity, then for their role as a champion. To be clear, these are two different skill sets. Participants should be confident in the cybersecurity aspects of the organization, as well as have strong interpersonal skills including communication, active listening and motivation.
- Provide your champions with easily-accessible materials they can use for reference and to reinforce consistent messaging. Allow them to take standard materials and create content that is specific to the roles and people they are supporting.
- In order to continue building your knowledge base, create an easy and effective tracking system for questions or concerns that champions receive consistently. This is an important way to make sure that the content and messaging are working for an organization.
Reward Secure Behavior
Do you reward your employees when you find them following cybersecurity best practices and protocols? Why not?
Breaches are scary. The money, time, and business that can be lost as a result of a breach may lead some organizations to use fear tactics with employees to try and change their behavior. By doing so, we create employees who only react when something bad occurs. They will fail to be engaged in the real day-to-day strategy of cybersecurity culture.
A century of research shows that threatening punishment can be a powerful attention-getter. However, just raising awareness does not equate to encouraging employees to behave in the right way. In fact, it can have the opposite effect of clouding their minds with fear. This is precisely why phishing emails work well – they contain warnings and threats which cause the recipient to respond out of fear. Recent research specifically around cybersecurity has shown that positive reinforcement will get you much farther to eliciting the right behavior.
In a recent article for InfoSecurity Magazine, Arun Vishwanath discussed and weighed these methods, from threatening employees who click on phishing emails with more extreme punitive measures to financially rewarding those who report them. He noted that “social rewards such as public praise, recognition and appreciation through announcements acknowledging those users who have reported suspicious emails, along with appropriate communication, shows the value of this reporting works better than all other approaches.”. He concludes the article by noting “Effectively harnessing the power of employees through the use of appropriate strategies for incentivizing reporting is the difference between organizations that are reacting to cyber-attacks and those that are proactively stopping them.”
In the fast-moving field of cybersecurity, it is easy to fall into the trap of thinking (hoping) that with an annual security awareness course, you have the “human factor” covered. But getting your people to reliably comply with policy requires a multi-faceted program of regular and open 2-way communication, engaging relevant training and internal marketing, grass roots promotion and positive reinforcement. The good news is taking steps to address the five components discussed in this post will take you a long way down the road to building a cybersecurity culture in your organization.
Reference: Global Learning System