The philosophy of creating a top-down security-minded culture at work makes perfect sense. How many times have you heard the saying "practice what you preach"? Often I think of parents and school teachers creating this type of top-down culture to be effective, but we really follow leaders in many settings. In the workplace, employees look to their supervisors and leaders to gauge what the culture is like. We try to determine what behaviors are acceptable by noticing the behaviors of our leaders and those around us. When the CEO takes cybersecurity seriously and leads by example, then the employees are more likely to follow suit.
Employees' Choices When No One is Around
Employees are making decisions about security when they are left to their own devices or when they are working independently. These decisions define the security culture of your workplace. When an employee sees a suspicious link, would they go ahead and click on it to see what it is? If your employee finds a USB in the parking lot, will they choose to plug it into their laptop? The importance of educating employees and fostering change is a constant task. The threats continue to become more advanced as technology advances. Reinforcement is key with any type of learning. Risky behaviors can be attributed to lack of knowledge about the associated risks or to a lack of motivation from employees. Changing their cybersecurity behavior choices will depend on what they consider to be important to their leaders.
Why Security Awareness Programs Fail
Too Many Campaigns
Today companies are under a tremendous amount of pressure to ensure compliance with regulations regardless of the industry type. This can quickly become an overwhelming task and a logistical nightmare. More times than not, well-meaning employers overload employees with too many campaigns on top of their already full workload. The result of this - a checked box showing compliance, but little to no real value add for the employees or the company. Take notice of how many campaigns you are mandating employees to complete in a given calendar year. Are they rolled out in a thoughtful cohesive manner that gives employees time to really grasp the content? Or are they disjointed and unfocused? This is critical, because if there are too many campaigns going at once, they lose impact and the value becomes almost non-existent. One way to thoughtfully roll out campaigns is to follow a prioritized planned schedule.
In addition, some organizations make the mistake of relying strictly on mock phishing attacks. Phishing email campaigns are a great way to measure how attentive your employees are to suspicious emails. However, without the proper security awareness training included with them, they could lack impact. Phishing email campaigns need to provide real world examples with links to relevant security awareness training courses. TechGuard provides a solution that ties phishing email campaigns to security awareness courses with in-depth analytics and customizable templates that may be automated or managed for you. Also, training that is only delivered once or twice a year is not as impactful as training that is ongoing. In order to reduce security risks, organizations must change behaviors.
Also, employees do not see the buy-in. Give the message that security awareness is important from the top-down by including it in the employees' performance review. Remind employees that security is everyone's responsibility and a part of of everyone's job. Update the company's vision to include security as an all-in mentality. Discuss the return on investment for employees. For a small part of their time invested in security awareness education, they will reduce the risk of a very costly breach or attack for the business. Share the statistics. The average cost of a lost/stolen record containing private information is $141.00 according to a Ponemon study in 2017.
Some training courses are simply not engaging. For instance, many of us can recall sitting through a very outdated educational video at one point in our life. In order to grab employees' attention, use gamification and realistic examples to show relevance. Show the consequences of cybersecurity fails. Try some fun exercises such as a game of security trivia, or create a competition among employees to see who can create the most convincing phishing email. Reward and recognize employees for using their best judgement around security. Know that your employees are looking at their leaders to guide them in the right direction and to motivate them to make cyber secure decisions.
Have you ever had a leader who motivated you to model your behavior after? Think of how you can create an environment that empowers positive cybersecurity choices. Protecting the company is in everyone's best interest.