At our recent Customer Advisory Board event, our customers told us that among their myriad responsibilities is producing and managing their company’s security awareness program. It’s one of the best weapons in their arsenal against poor password hygiene, phishing attempts, and other factors that increase exposure to account takeover. We discussed strategies to improve the program, including how to increase participation. To commemorate National Cybersecurity Awareness month, we’re sharing the information with our readers. Have feedback or additions to the ideas below? Contact us here!
Every day, cybercriminals and hackers work to infiltrate IT systems to steal valuable data. To do this, they rely on human error – employees who don’t take password hygiene seriously, who click questionable links or fail to install software patches.
And every day, they succeed. Most breaches are too small to make the national news, but they’re large enough to do serious, long-lasting damage to an organization. For the lucky ones, that may mean a hit to the bottom line or reputation with customers. Others are not so lucky. In fact, 60 percent of small businesses are out of business within six months after a breach.
The stakes are just getting higher. In 2019, the average total cost of a data breach is nearing $4 billion — and that figure is even higher for U.S. companies. More than a third of that cost comes in the form of customer mistrust and lost business. Research also shows that “long tail” costs can impact the business for years after an event.
This is why every organization, no matter its size, should have a robust security awareness program as part of its comprehensive security posture. Most companies already do – but are they effective? If you suspect your current program is not, and you’re looking for ways to boost engagement, read on. We’ve got proven tips that can help employees understand the stakes – that literally, their livelihoods depend on it.
1. Embed security into your culture
Most companies rely on annual security training, forcing employees to spend hours in a generic class that likely has nothing to do with their jobs. Break it up! Create shorter training modules that employees participate in quarterly, or even monthly. Focus on one aspect of security at a time. Include tips and reminders as part of your overall internal communications plans. Embed security into every employee engagement program.
2. Make it personal
Make lessons applicable to personal internet use – how to use two-factor authentication on their social media platforms, for example. Offer tips they can share with family. Users are invested in their personal security, which makes a great starting point for education.
Once you have their attention, help your employees make the link between professional and personal security. Remind them that their own personal data – their social security numbers and that of their significant other and children, home address and payroll information – live in their company’s system. Make the connection between their awareness and the company’s success very direct: a breach could mean the difference between a raise or not; between layoffs or not.
3. Use more engaging formats
Videos can be a great way to increase engagement – but keep them short, no longer than two or three minutes. And it doesn’t have to be all doom and gloom! Inject some humor into the videos. A quiz at the end can ensure employees are watching.
4. Make it interactive
Make it easy for employees to ask questions. That could be in the form of a dedicated Slack or Yammer channel, allowing a set group of employees to provide answers, or a chat bot manned by the security team that pops up on the screen during training videos to handle questions as they arise.
5. Gamify it!
Gamification is a proven way to boost engagement. For example, if you can get employees to take on the role of a hacker, to really understand how they think and what their motivations are, it can wire the brain for long-term behavior change. Or create an escape room: physical games in which players solve a series of puzzles using clues, hints and strategy to complete the objectives. Red team/blue team, table top exercises and virtual hackathons can all also help employees really understand the stakes.
6. Create a single source of truth
Have all your policies, procedures and processes turned into a single, easy-to-find, searchable guide on your company’s intranet – and make sure it’s written in plain English!
7. Testing, 1-2-3
Periodically run phishing campaigns against your employees. Let them know ahead of time what you’re doing, then share the results – anonymized, of course. Shame is definitely not a motivator. Encourage employees to improve results quarter over quarter.
8. Include newly acquired employees
New employees from acquired or merged companies should be included as part of their onboarding. New employees will have access to your wiki, shared docs, engineering systems and customer data pretty quickly, and you shouldn’t just assume they’ve had the same training.
9. Reward often; penalize sparingly
Rewarding good behavior and ignoring the bad works great for dogs and toddlers, and for the most part, encouraging employees through rewards – even if it’s just a personal note on a job well done – is generally the most effective way to inculcate good behavior.
But at a certain point, disciplinary action may be necessary. In those cases, consider a phased approach. Strike one means additional training. Strike two might be a sternly worded note and more education, while strike three may mean the issue gets escalated to the employee’s supervisor.
Education is never enough
Despite your best efforts, you should still count on a certain amount of thoughtless user behavior. No one is perfect – and that’s why human error remains a top vector when it comes to security breaches.
Your employees are busy, hard at work for your organization. It’s inevitable that some of them will slip up and take shortcuts – like reusing passwords they can easily remember, one of the most common forms of poor security hygiene. Many well-intentioned users don’t think they’re doing anything wrong when they modify a favorite password to make it “different enough.” And while technically that’s not reusing passwords, this “recycling” most definitely weakens your organization’s security posture.
That’s why education is just one piece of the security puzzle. You should also be taking advantage of software and other tools as a bulwark against human error. A solution like SpyCloud ATO Prevention sends your security team an automated alert when a user logs in with a compromised password, enabling quick action such as a password reset or step-up authentication process – preventing exposures from progressing to account breaches.
Interested in learning more?