Marie White, Founder, CEO & President, Security Mentor.
The start of a new year is an ideal time to reflect on business and strategies in general, and cyber security in particular. However, with so many cyber attacks and dire warnings, organizations can become dulled to the threat, even choosing to focus on other areas. Unfortunately, the cyber threats are all too real. [i] [ii] [iii] [iv]
The good news – there are significant, easy cybersecurity steps you can take with your staff that will immediately improve your overall cyber posture and concurrently create a positive business culture and enhance employee attitude, most with little or no cost. The new year is the perfect time to put these strategies into action.
1. Take a Positive Approach
With cybersecurity, it's easy to focus on the negative, especially since mistakes can have dire consequences. But the truth is the vast majority of people WANT to be cyber secure. By viewing your employees as you best cyber defense, you will empower them to ask questions, learn about cybersecurity, and report cybersecurity incidents.
Here are some actions you can take that will promote a positive approach to cyber awareness: i) Explain to staff why they need to do something, or not do something. Avoid providing rules and policies without explanations. ii) Provide an opportunity for employees to ask questions and get answers – such exchanges can be done through monthly staff meetings or Zoom calls, a shared space like Microsoft Teams or Slack, regular Lunch and Learns, or a multitude of other vehicles. iii) Encourage your staff to report security incidents and assure them they will help your organization and there won't be any shame or recrimination.
2. Focus on Helping People Change
Everyone makes mistakes, whether in our lives, relationships, or work. Mistakes in cybersecurity are no exception. Unfortunately, cyber mistakes by employees can be very frustrating for security staff and very dangerous for your organization.
The most important starting place to ensure cybersecurity is to arm your staff with the cybersecurity knowledge they need to protect your organization. Providing an ongoing, effective security awareness training program should be the foundation for your cybersecurity program. In addition, make employees aware of your organization's policies and what their personal responsibilities are. The new year is a great time to review security policies and ensure they capture any changes.
When cybersecurity mistakes do happen, treat them like learning opportunities. Explain to the individual what their mistake was, why it matters, and what they should do differently in the future. If you help people learn from their cyber mistakes, you'll avoid the next security incident.
For the small number of people to who continually re-offend, you may need to take more drastic measures such as revoking privileges, but that should be the rare exception and used as a last resort.
3. Understand How Your Staff Think
The human factor is a critical component of cybersecurity, but one that security staff often overlook. As a security officer, you have the opportunity to serve as a role model and convey the importance of the human element in cybersecurity. A key factor is to understand how people think and what motivates them.
Set a goal for security staff to learn something new each month about what makes people tick in general, and your employees in particular. This can be a task done by one member of the security team and then shared with the rest of the team.
Realize that each organization is its own dynamic ecosystem, and what works for another organization may not work for your staff. Some suggestions for learning about how people think is to go outside the cybersecurity and IT orbit: attend marketing talks on effective messaging, read psychology articles on the how people think and what motivates them, or watch videos on how to make training effective. Be creative and open to new ideas.
4. Try Something Different
We are all so busy. It's easy to get into a rut, and keep doing the same thing. Cyber awareness is no different.
Think about how to make cyber awareness fun and engaging. Use the new monthly ideas that you and your team have been gathering (see #3 above). Then talk with your security, training and marketing teams about ways to engage your staff. Reach out to your staff for ideas too, they'll surprise you with some excellent, out-of-the-box ideas.
Here are a few ideas for new outreaches: establish a competition with prizes for the most secure group or team, offer quarterly rewards for staff who don't get phished in phishing tests, post a funny security cartoon, ask employees to share cybersecurity tips and stories, and create interesting events for cybersecurity awareness month.
5. Commit to Doing Security Awareness Training Right
Security awareness training is not only the most visible component of your security program, it is the best way for employees to learn and care about security. But if training isn't engaging, easy-to-understand, and fun, people won't take it and, more importantly, they won't learn or change behavior. If you don't know where to start, we have some excellent resources to help you get started: Security Awareness Training: The Definitive Guide, Security Awareness Training Statistics and Trends: 2020-2021 Edition, What Is Likely Missing From Your Security Awareness Program?, and Tips to Improve Your Organization's Security Culture.
Deciding to provide effective security awareness training should be a clear decision.
For many organizations, ROI is one of the most important factors in business decisions. With security awareness training, the single greatest cost is employees' time. Therefore, to achieve the best ROI, you'll want to use employees' time most effectively. However, the most important part of your decision should be the ability of your security awareness training program to increase the cybersecurity of your organization. Select a training program that focuses equally on people and how they learn, as well as cybersecurity.
With the start of 2022, now is a great time to evaluate your overall cyber security related to the human element. Analyze the following for insight: are employee security mistakes down, are more security incidents being reported, are your employees providing positive feedback about your training program? Also, look at where there might be gaps in your cyber awareness program. Should new security policies or security awareness lessons be added? What is working, and what isn't working?
Start the new cyber year right, make the commitment to focus on the human element – your staff – and help them become one of your best cyber defenses.
[i] No Sign of Reprieve From Ransomware Frenzy for Companies in 2022. Bloomberg Law. December 27, 2021.
[ii] Ransomware has massively increased in 2021 and a new report reveals some concerning insights about it. Digital Information World. January 4, 2022.
[iii] Phishing Activity Trends Reports: 3rd Quarter 2021. APWG. November 22, 2021.
[iv] IoT under attack: Security is still not good enough on these edge devices. ZDNet. December 9, 2021.