It’s often said that employees are the weakest link in the security chain of a business. This is true in the sense that human mistakes or lack of knowledge about secure ways of working often contribute to security incidents – and this is why raising the awareness of cyber security among employees is critical to keeping company data secure.
But treating employees as though they are a hazard to company security can have a negative effect on company security culture as a whole. That’s why any security awareness program must, first and foremost, respect the employees themselves. So how can a company increase cyber security awareness, without alienating the employees? Read on for tips from F-Secure experts.
1. Create a culture of trust.
Marko Buuri, principal security consultant at F-Secure, emphasizes the importance of building trust among employees. A company should teach employees to recognize security problems and report them. But this should be done in an open and approachable atmosphere, so employees will want to follow through for the good of the company.
“If you treat employees as the weakest link, it’s difficult to build trust,” says Buuri. “They may not tell you if they clicked a link or opened an attachment if they fear they might be punished or ridiculed. As a security person, you want your employees to report possible security events, and that should be a positive experience for them.”
2. Make security fun and engaging, not tedious and forced.
Ville Niileksela, a security management consultant who helps companies raise employee security awareness as part of his role, used marketing ploys in a recent two-day security awareness event he ran for an insurance company.
“The employee feedback about their company trainings on other topics was that the events are so boring and dry, they are reluctant to attend,” he says. “We work hard to deliver security awareness events that are interesting and engaging. We don’t want them to feel like it’s just another training they’re forced into.”
Niileksela’s event featured a large outdoor glass-walled tent with a champion coffee barista to attract an audience. His team showed quick 5-minute flash presentations about cyber security topics, to keep things light but interesting and meaningful.
In the end, over half of the company’s workforce attended the training, and the feedback was overwhelmingly positive from both participants and company executives.
3. Stress that a security mindset is for everyone, every day.
Security is not just for the IT people. Let your employees know that every one of them plays an important role in keeping the company secure. It’s a mindset that should be baked into all our activities, at work and in our personal lives. This means making the right choices around small tasks and behaviors – locking your laptop when leaving it unattended even for a short period, or not letting strangers into security-protected areas without proper identification. Because in the end, security comes down to the little practical things we do.
“It doesn’t matter if you know all the articles of GDPR, if you leave your desk a mess and you discuss company confidential information in a public place,” says Niileksela.
4. Teach employees the critical info that is sensitive and confidential to the business.
If they don’t know it’s confidential, can you blame them for not properly protecting it? Every business is different and every business has different information to protect. Employees should be aware of the sensitive information in your company that can’t be shared to the outside world. They should also be trained how to handle it and protect it – for example, properly verifying a customer’s identity before discussing their case, shredding sensitive hard copies, and using unique passwords when logging in to services.
Examples of sensitive information are customer information, R&D plans and product development projects, sales contracts, company financial information, employee information, and company network architecture diagrams.
5. Build security training into everyday life.
Security should not just be a once a year training, employees should have regular reminders in an engaging and inspiring form. A great example of keeping cyber security top-of-mind is using a program for simulated phishing emails. Employees periodically receive simulated phishing emails and are rewarded points for recognizing them as phishing. If the employee falls for the email and clicks on the email link or opens the attachment, they get a mini training to help them recognize it as phishing for next time around. The game factor of such programs make it fun, and they also help employees to become more skeptical about arrivals to their inbox.
Posters, games, quizzes, funny newsletters, blogs and handouts like our Data Protection Checklist also are great ways to provide regular reminders to cultivate secure ways of working.
Download our quick and easy Data Protection Checklist to share with your employees.Download Data Protection Checklist