Raising employee awareness for cybersecurity involves creating an environment of hyper-alertness, including training and monitoring of written documentation of the company’s cybersecurity policies. Creating a formal plan is a relatively straightforward process and you can use this documentation to set a guideline for your networking team.
Earl Foote, CEO of Utah Cybersecurity company, Nexus IT says, “while training tips and education help, there is no perfect solution. Awareness and communication are your best defenses against inadvertent employee-assisted cyberattacks.”
The following measures can help you raise awareness among staff members.
How Do You Perform “Live Fire” Training Exercises?
Foote and Nexus IT recommends Live fire training, as the name suggests, involves putting users through attack scenarios they might encounter on the job. They could become the victim of an attack orchestrated by the security team or a trusted vendor. After the exercise, ask questions to ensure understanding. These should include implications to the business and to them personally.
You could also stage fake phishing emails to determine how employees react. Once you tally up who clicked on the potential malware, you can create reports by department and message type. This helps you vet out which departments should attend training first.
Why Is Buy-in from Stakeholders Important?
Brian Leimbach, whose company offers interim CIO services says “It’s the Chief Information Security Officer’s job to inform the C-suite of a potential breach. In order to have a viable cyber plan, it has to be an integral part of the budget, including the software, hardware and people needed to protect the network. Getting sign-off from the CIO, CFO, and CEO is critical to maintaining the budget year after year and gaining the authority needed to prevent cybercrime.”
What Should Be Addressed During Onboarding?
Cybersecurity, the number one threat to small business, should be addressed during orientation, preferably as soon as new hires walk through the door. Before they access the network for the first time, employees should already be aware of the potential risks.
How Can You Incorporate It Into Evaluations?
Performance evaluations related to cybersecurity have to address both employees and the systems under scrutiny. If possible, the live fire test should include scenarios run on development environments that closely simulate your production environment.
What’s the Best Way to Communicate the Cyber Plan?
Formulating and communicating a comprehensive cybersecurity plan is a great way to get all departments to work on a cross-functional solution. Besides the obvious benefits to having a cyber plan that’s well understood, this process can help break down silos because it requires collaboration and sharp focus on a common goal. While initial reviews might best occur in the executive suite, each department head should communicate the plan to their staff and sign off on some form of compliance ownership.
Who Creates the Formal Plan?
Ideally, IT teams develop the formal plan, taking into account the input of staff members throughout the company. Once written, the plan should be reviewed and signed off on by the applicable stakeholders. Then, the security team can work out a process to incorporate updates with the latest threats and risks.
Who Are Your Cybersecurity Culture Advocates?
Tech leaders should request an advocate from every department. These advocates help keep the rest of the team updated on the latest changes to the cyber plan. This simplifies ongoing training and keeps the topic fresh in employees’ minds.
How Often Should Employees Be Retrained?
Cybersecurity training should be ongoing throughout the company. Yearly refresher courses can be automated through the corporate intranet or classroom-based for small organizations. The material should be tailored to the audience. For example, the IT team may undergo more technical training than other employees with more restrictive access credentials.
What’s the Best Way to Stress Security at Work and Home?
Tech leaders can help the rest of the staff understand the importance of preventing cyber intrusion at work and home. Newsletters covering security and privacy and geared toward practical applications keep the topic fresh and support compliance efforts. Basically, the more staff members see the topic and review the policies, the less likely they are to put the company at risk.
Is There an Appropriate Reward System for Employees?
Share stories about cyber heroes who find and report malicious emails. Recognition could include gift cards, additional PTO or whatever makes sense for your organization. Campaigns to recognize vigilant employees can be humorous and slightly irreverent — use whatever methods fit your culture and budget.