Cybersecurity Culture: Empowering Your Employees
by Joshua Silberman, IT / Cyber Security Consultant, MGO Technology Group
Are your employees comfortable telling leadership about a potential problem at your company? Now ask yourself, are they comfortable telling leadership about a potential mistake? A large number of today’s cyberbreaches often begin as the result of an innocent mistake by an employee. It might be sharing a password over an unprotected median, a nefarious actor grabbing a picture of an employee’s laptop screen while they are working in public, or as is most common, an employee clicks on an innocuous link from a phishing email. What most employers may not realize is that many employee’s common sense regarding breaches is actually pretty good. At the very least they will suspect that something is amiss, which could be the first step in detecting a potential breach. Empowering your employees to actively look for, and report on, potential breaches goes a long way to helping your organization build a strong cyber security culture.
Creating a positive cyber security culture
The first step is to educate your employees on what to look out for when it comes to cyber and information risk. Many firms employ some form of basic cyber-security training, mostly at the time of on-boarding, but training usually ends there. Cyber security is an ever-shifting landscape where threats are always evolving. This is why it is important for firms to enact a year-round cyber security awareness program based around employee activities. A good employee-based cyber security awareness program will be light on technical jargon and focused on highlighting the vulnerabilities of the processes and systems that all employees use in their day-to-day work, such as instant messaging, answering e-mails, browsing the web, and sending documents through authorized and unauthorized means of file sharing. There is no great need to get into the technical details of how an attack might happen, but rather acknowledge that the danger is out there and focus on what employees can do to look out for potential dangers, such as noticing strange URL’s and suspicious e-mail attachments from unrecognized users. Consistently educating employees on current cyber threats and methods will give them the tools to identify a threat and be proactive in helping your company stop it.
Encouraging active breach and threat reporting
Training employees to spot the dangers is only half the battle. The other half is generating an effective reporting culture. No cyber security strategy is complete without a good cyber security reporting culture that puts a premium on reporting potential breaches. Here are a few suggestions to create a positive culture of reporting:
Have the team that provides your first level IT Support lead awareness/education sessions, as they will mostly likely also be the first point of contact for reporting potential breaches. The sessions can be developed by an outside consultant or an internal cyber security professional, but building a repertoire between those who should be reporting the incident and that first point of contact provides a sense of comfort that your employees are reporting the issue to the right group in the correct way.
In training, the IT support staff should make clear that reporting a threat is NOT a burden and that employees should err on the side of caution. If an employee receives an e-mail they find suspect they should not hesitate to contact their IT department through the designated reporting means.
Everyone from the organization must know and believe that the consequences of reporting a potential mistake will not be dire. Beyond feeling comfortable reporting suspicious activities, employees must also feel comfortable in reporting suspicious behavior that might be a direct result of their own actions. If an employee feels that admitting a mistake will be detrimental to their career they will keep quiet and a potential breach oversight could occur. Admittedly, this strategy carries some risk as you do not want certain behaviors to be consequence-free. However, the scope of consequence must be weighed against the actual action.
For example, an employee need not be officially reprimanded for admitting to clicking on a suspicious link and reporting it, but it would be prudent for the IT support staff to point out what could have been done differently to avoid the infraction. If the employee becomes a repeat offender, then a more official process might be warranted. Until then, simply pointing out of the issue should be enough to change behavior while maintaining a culture where employees are not fearful of bringing an issue forward.
Strong and proactive cyber security culture starts at the top
When setting the company’s cyber security policy, upper management must keep an eye toward baseline employees who perform the day-to-day actions of the company. Clear signals about saying something if you think something is wrong can go a long way toward changing your company culture. Having a strong IT or Cyber Security group is simply not enough when your own staff could unknowingly be your cyber Achilles Heel. There is a saying in cyber security that “every employee is a potential vulnerability.” However, if trained and leveraged correctly, your employees can also act as another safeguard, actively working to protect your information technology environment.
If you have any questions or would like support developing and implementing an effective cyber security program, reach out to the MGO Technology Group for a consultation.