Six Ways to Improve Employee Cyber Awareness
Employees can be your greatest asset or your biggest liability. Human error accounted for 46% of data breaches in 2017and social engineering campaigns are becoming increasingly difficult to spot. Even with basic cybersecurity defenses in place, one click on a phishing email or a misdirected wire transfer can cost your company hundreds of thousands of dollars, cause significant downtime, and negatively impact your brand.
You can't patch people, but these six strategies will help your company raise employee awareness about cyber risks, reduce the likelihood of a cyber incident, and foster a culture of security at your organization.
1. Educate employees about digital hygiene and cyber risk
Employees can't prioritize security if they aren't aware of their cyber risks and how to mitigate them. Educate your employees about general cyber awareness, how to spot phishing emails and best practices for creating and storing passwords. Consider implementing a formal anti-phishing training program, which can reduce successful phishing attacks by up to 90%. Make sure to hold trainings periodically, and update the content to reflect current risks.
2. Have clear security policies in place
Build security into your organization's workflow and develop specific guidelines for password management, external devices, handling suspicious emails, and remote network access. This communicates to your employees that your company prioritizes security and also gives management and HR the ability to correct employees who consistently disregard your policies and put your organization at risk.
3. Make cybersecurity relatable
Even though having policies in place is critical, most people tune-out when presented with a long list of rules. Instead of presenting cybersecurity as a burden, use clear examples that show how employee negligence can lead to a breach and what the impact of a breach would be on your company. Presenting realistic scenarios that address both cyber risks and desired responses will make a more lasting impression than a list of do's and don’ts.
4. Encourage open communication
Most Business Email Compromise (BEC) scams rely on lack of communication. Everyone at your organization should feel comfortable picking up the phone and asking their supervisor (or their supervisor's supervisor) for confirmation prior to sending any sensitive information or conducting large financial transactions. Bonus points if you formalize this communication in your security policies (i.e. all wire transfers over a certain amount must be approved over-the-phone).
5. Get buy-in from leadership
Employees typically want to get their work done quickly and may ignore security tasks—especially if they do not see value in them or are under intense pressure to meet a deadline. For employees to take security seriously, all levels of management must understand and support effective digital hygiene. Consider holding management- or executive-level cyber-awareness trainings and make sure leadership at all levels knows that security is a priority, even if it takes more time.
6. Develop an Incident Response Plan and stick to it
An Incident Response Plan is a roadmap for how to handle a cyber incident at your organization. Key personnel should be aware of their roles should an incident occur, and you should rehearse your plan to make sure everything runs smoothly. Be very detailed when creating your Incident Response Plan and, if possible, involve legal counsel with cyber experience.
At Bluestone Analytics, we have helped many businesses implement comprehensive employee cyber awareness programs. If you have questions about these strategies or are ready to take employee education to the next level with a seminar or formal training program, contact us.