There are many reasons why security fails, but one of the most overlooked is people. The most sophisticated security technology tools can protect you from a lot of malware and viruses — but it can’t always protect you from users who fail to practice proper “cyber hygiene” —and unknowingly put information at risk through bad cybersecurity practices.
- Have you downloaded work files to your unsecured home computer so you could continue working?
- Have you emailed sensitive information to your personal account for later use?
- Have you accessed information over a public Wi-Fi network such as Starbucks?
- Did you give your co-worker your password “just in case?”
- Is your password “password”?
This shortlist of common security “fails” happens far more frequently than your executives would like. Honestly, they can be some of the biggest offenders, right?
Many employees, do not have strong security awareness or the necessary training to be practicing the vigilance that’s needed to keep data secure. A good place to start is educating employees on how they can help companies minimize their risk of data theft. Let each individual know they play an active role in the strength of an organization’s cybersecurity. A sizable percentage of the workforce don’t think they have any responsibility for assisting IT departments with system and network security.
Here are some practical strategies to help employees become more security savvy:
1. Create a Security Culture
It seems obvious given the high-profile breaches we’ve all seen in the news, but not enough organizations make cybersecurity a priority. They also don’t provide employees with detailed security education and training. Frequency matters too. A training session once a year is not sufficient. Focus on regular reminders and updates to training. Don’t forget to train senior staff, including the C-suite. Make sure onboarding for employees includes adequate security training, from best practices on password strength to securing physical office spaces.
2. Use Real Examples to Educate
Information here is key, as employees will respond to real-world examples. Be sure to share details of publicized data breaches, and how the initial entry point is often gained through personnel lapses, human error or lax security measures. Show them how what might seem a harmless practice can lead to breaches and quantify how that hurts your organization.
3. Make it Easy for Employees to Help
Everyone knows now that an email appeal from a Nigerian prince should be deleted, but employees need to learn the different kinds of attacks and vulnerabilities companies are faced with to equip them to identify threat more easily. Create documentation and training aids for employees to reference. Develop a reporting and escalation process for how employees should respond if they suspect a cyber breach.
4. Be Supportive
Cyber Security knowledge is not easily or universally understood. Many in your organization have never had to consider cyber threats. That’s OK. Provide them with an open environment to ask questions where they won’t feel judged for knowing less.
5. Secure C-Suite Buy-in
Sometimes senior leadership has not prioritized security because they haven’t connected the dots to the larger business ramifications of security fail. While high-profile breaches at Target and Sony have caught the attention of boards and executives, many security teams still have to fight for the additional budget and elevated prioritization that shoring up digital defenses requires.
How can security professionals overcome this institutional challenge? Think about ways you can tie security goals to larger business outcomes and objectives. Executives think in terms of risk and reward — explain how the company’s cybersecurity practices are exposing the company to larger problems — and how it could impact business.
Maintain your credibility by keeping the threats you raise in proportion with your company’s overall risk profile. Don’t inflate risks or speculate about possible issues – keep the challenges you discuss with leadership grounded and relevant. This will pay off when you need to report on threats that are urgent.
It may seem like cybersecurity is a technical matter. In many ways it is, but it’s worth remembering that security has many sides, it’s not just about firewalls and encryption. Time spent strengthening the link between people and cybersecurity is an investment that all companies should make in order to ensure everyone is doing their part to help keep your networks secure.
Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.