Close this search box.

How to Increase Employee Engagement in Your Security Awareness Program

For National Cybersecurity Awareness Month, enterprises should consider employee education through a security awareness program

At our recent Customer Advisory Board event, our customers told us that among their myriad responsibilities is producing and managing their company’s security awareness program. It’s one of the best weapons in their arsenal against poor password hygiene, phishing attempts, and other factors that increase exposure to account takeover. We discussed strategies to improve the program, including how to increase participation. To commemorate National Cybersecurity Awareness Month, we’re sharing the information with our readers. Have feedback or additions to the ideas below? Contact us here!

Every day, cybercriminals and hackers work to infiltrate IT systems to steal valuable data. To do this, they rely on human error – employees who don’t take password hygiene seriously, who click questionable links, or who delay installing software patches.

And every day, they succeed. Most breaches are too small to make the national news, but they’re large enough to do serious, long-lasting damage to an organization. For the lucky ones, that may mean a hit to the bottom line or reputation with customers. Others are not so lucky. In fact, 60 percent of small businesses are out of business within six months after a breach.

The stakes are just getting higher. In 2019, the average total cost of a data breach is nearing $4 billion — and that figure is even higher for U.S. companies. More than a third of that cost comes in the form of customer mistrust and lost business. Research also shows that “long tail” costs can impact the business for years after an event.

This is why every organization, no matter its size, should have a robust security awareness program as part of its comprehensive security posture. Most companies already do – but are they effective? If you suspect your current program is not, and you’re looking for ways to boost engagement, read on. We’ve got proven tips that can help employees understand the stakes – that literally, their livelihoods depend on it.

1. Embed security awareness training into your culture

Most companies rely on annual security training, forcing employees to spend hours in a generic class that likely has nothing to do with their jobs. Break it up! Create shorter training modules that employees participate in quarterly, or even monthly. Focus on one aspect of security at a time. Include tips and reminders as part of your overall internal communications plans. Embed security into every employee engagement program.

2. Make it personal

Make lessons applicable to personal internet use – how to use two-factor authentication on their social media platforms, for example. Offer tips they can share with family. Users are invested in their personal security outside of the workplace, which makes a great starting point for education.

Once you have their attention, help your employees link professional and personal security. Remind them that their personal data – their social security numbers and that of their significant other and children, home address, and payroll information – live in their company’s system. Make the connection between their awareness and the company’s success very direct: a breach could mean the difference between a raise or not; between layoffs or not.

3. Use engaging formats

Videos can be a great way to increase engagement – but keep them short, no longer than two or three minutes. And it doesn’t have to be all doom and gloom! Inject some humor into the videos. A quiz at the end can ensure employees are watching.

4. Make it interactive

Make it easy for employees to ask questions. That could be in the form of a dedicated Slack or Yammer channel, allowing a set group of employees to provide answers, or a chatbot manned by the security team that pops up on the screen during training videos to handle questions as they arise.

5. Gamify it!

Gamification is a proven way to boost engagement. For example, if you can get employees to take on the role of a hacker, to understand how they think and what their motivations are, it can wire the brain for long-term behavior change. Or create an escape room: physical games in which players solve a series of puzzles using clues, hints and strategy to complete the objectives. Red team/blue team, tabletop exercises, and virtual hackathons can also help employees understand the stakes.

6. Create a single source of truth

Have all your policies, procedures and processes turned into a single, easy-to-find, searchable guide on your company’s intranet – and make sure it’s written in plain English!

7. Testing, 1-2-3

Periodically run phishing campaigns against your employees. Then share the results – anonymized, of course. Shame is definitely not a motivator. Encourage employees to improve results quarter over quarter.

8. Include newly acquired employees

New employees from acquired or merged companies should be included as part of their onboarding. New employees will have access to your wiki, shared docs, engineering systems, and customer data pretty quickly, and you shouldn’t just assume they’ve had the same training.

9. Reward often; penalize sparingly

Rewarding good behavior and ignoring the bad works great for dogs and toddlers, and for the most part, encouraging employees through rewards – even if it’s just a personal note on a job well done – is generally the most effective way to teach good behavior.

But at a certain point, disciplinary action may be necessary. In those cases, consider a phased approach. Strike one means additional training. Strike two might be a sternly worded note and more education, while strike three may mean the issue gets escalated to the employee’s supervisor.

Education is only the first step

Despite your best efforts, you should still count on a certain amount of thoughtless user behavior. No one is perfect – and that’s why human error remains a top vector when it comes to security breaches.

Your employees are busy, and work hard for your organization. Some of them will inevitably slip up and take shortcuts – like reusing passwords they can easily remember, one of the most common forms of poor security hygiene. Many well-intentioned users don’t think they’re doing anything wrong when they modify a favorite password to make it “different enough.” And while technically that’s not reusing passwords, this “recycling” most definitely weakens your organization’s security posture.

That’s why education is just one piece of the security puzzle. You should also be taking advantage of software and other tools as a bulwark against human error. A solution like SpyCloud ATO Prevention sends your security team an automated alert when a user logs in with a compromised password, enabling quick action such as a password reset or step-up authentication process – preventing exposures from progressing to account breaches.

Interested in learning more?

Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[What’s New] Check Your Exposure has been expanded with more recaptured data. See Your Results Now

Close this search box.