Employees continue to be one of the top concerns for security professionals. However, it’s not always the malicious insider that is the cause for distress, but instead the common employee that means well but has grown tired of continual and tedious cybersecurity policies.
According to the Ponemon Institute, the number one concern for 70% of CISOs surveyed is the “lack of competent in-house staff.” Perhaps even more noteworthy, however, is that 54% of CISOs are concerned that they won’t be able to reduce this level of employee negligence. You may be all too familiar with this challenge as well: How can you incorporate security into your organization without tiring your employees?
Unless we change the way we address cyber fatigue, it will continue to plague the workforce. Annual training is not enough. Instead, work over time to build a culture of cyber awareness, in which engaging in the best cybersecurity practices becomes the office norm.
Let’s take a look at the necessary components to get you started:
1. Obtain support from leadership.
Company culture starts on top and trickles down to the rest of the staff. When the influential leadership is involved, they often act as role models for the rest of the team.
So, how do you get your executives on board?
Align security improvements back to business objectives. Explain how an employee weakness could lead to breaches that hurt the business. Drawing this connection will not only help you achieve the resources you need to enable strict cybersecurity policy, but it will also make your executives eager to become advocates for cybersecurity.
2. Eliminate ambiguity: make the cybersecurity policies clear to all staff.
Incorporate cybersecurity training into the onboarding process for all new employees. In addition to refreshing this training yearly, consider ways to remind your staff of these policies and the importance of following these policies on a regular basis, potentially through a security newsletter or email updates. If your organization has remote employees, create policies for remote workers and keep these employees updated. Ensure all employees know who their point of contact is when they are uncertain of a policy and encourage an environment that allows for questions and open communication.
3. Set cybersecurity goals and keep the employees updated.
Create measurable, company-wide goals that connect each employee to the bigger picture. For example, if your goal is to reduce the percentage of employees that fall for a simulated phishing attack, inform your employees of this so they see how their individual actions contribute to the organization’s larger goals.
4. Acknowledge employees that engage in cybersecurity best practices.
While it is important for the staff to understand the consequences of neglecting security practices, do not create such a sense of fear that they feel uncomfortable reporting possible incidents. If someone feels as if they’ll be punished for having clicked on a malicious link, they would hesitate to report their potential mistake, which may cause more damage to spread in the long run.
At the same time, recognize anyone who does spot an attack or is actively making efforts to contribute to the organization’s security. Find ways to incentivize this behavior. If someone feels that they’ll be rewarded for spotting a phishing attack, they’ll be more likely to report anything suspicious. Best of all, this acknowledgement will set an example for the rest of the staff.
5. Use technology that facilitates a cyber-aware culture.
In order to sustain your culture of cyber-awareness, you must employ technologies that support this. The bottom line is that engaging in security practices has to be easy, otherwise employees will grow frustrated and complacent. You must invest in ways to make your company’s technology as simple and user-friendly as possible.
Consider improvements that don’t necessarily require memorizing more passwords, such as utilizing a password manager or multi-factor authentication. Reduce the number of notifications and administrative communications to only what is necessary. Automate as many processes as you can, as long as they are secure.
When you have achieved a culture of cyber awareness, employees will no longer feel cyber security to be a burden, but instead their duty.
