How to Build an Effective Cyber Security Employee Awareness Program

January 09, 2019

How to Build an Effective Cyber Security Employee Awareness Program

Synopsis
6 Minute Read

With the proper education and awareness training, employees can be deployed as the best defense against cyber attacks. The current approach to training requires an overhaul to deal with today’s new wave of attacks.

Insight
Insight

According to the 2017 Cyberthreat Defense Report by CyberEdge Group, a lack of security awareness among employees is “the greatest inhibitor to defending against cyber threats.” A recent Verizon report found that in 60 percent of breach cases, attackers were able to compromise an organization within minutes. As businesses navigate a growing landscape of cyber threats, coaching appropriate employee behaviour will continue to be a critical risk management measure.

With the proper education and awareness training, employees can be deployed as the best defense against cyber attacks. The current approach to training requires an overhaul to deal with today’s new wave of attacks.

Taking a Non-Traditional Approach to Training

Workplace security training traditionally involves mandating employees complete learning modules complete with testing that involves answering multiple-choice questions. The training reinforced through executive communications and reminders any time a breach occurs.

For employees pressured to achieve higher results with fewer resources, security training becomes both burden and a distraction. Although the training content may be comprehensive and include all the necessary instructions to put a strong security policy in place, the messages aren’t resonating with the people who need to enact them. Instead security fatigue may be leading employees to push the information aside, dismissing threats as an “IT problem.”

Make It Personal

While the modern workplace has become focused on digital assets and connectivity, many employees have developed digital workarounds which are contributing to the problem. Even millennials, who were raised in the digital world and are aware of the need for strong cyber security habits, are not immune to taking shortcuts at the expense of proper protocols.

Introducing awareness programs that relate their security practices in the workplaces to a benefit in their personal lives may be an effective way to increase employee engagement and compliance. Demonstrating how creating strong, secure passwords or avoiding unsolicited links can protect their personal assets can transform how employees view policies they may have dismissed as unimportant or overly cautious.

Make Training Engaging

Although the content of the training modules are professionally developed, the information and delivery may not be engaging. Employees may walk away without absorbing enough knowledge to know how to recognize and avoid a security breach. Instead, companies must look for ways to increase engagement by integrating security awareness into the company’s culture.

One approach to increasing security awareness involves running a phishing exercise to reveal how many employees would click on malicious link sent by email. When the results are reported back to employees, they have a tangible example of how their actions are linked to a potential security breach. The exercise should be followed by a comprehensive and engaging awareness campaign. The expectation is that when the phishing exercise is repeated, the results should show a significant improvement.

Encourage Rather Than Penalize

Another unfortunate traditional approach to security training involves penalizing employees with threats of discipline or dismissal for security breaches. While this approach is intended to discourage malicious intentions, it may unintentionally deliver a message that mistakes will not be tolerated.

By most estimates, only 20 percent of employee-at-fault security breaches occur due to malice on the part of the offending employee. The vast majority of security issues happen because of a lack of attention or awareness. With the threat of discipline or dismissal looming in their minds, employees may be hesitant to report security breaches.

When IT and security departments react to reports with encouragement rather than interrogations, employees become part of the solution. The benefits are two-fold. Security has the information they need to identify a breach and fix the problem. The employee is more likely to notify IT or security if they suspect a problem.

Changing the Way of Doing Business

Traditional approaches to cyber security have shifted substantially as old controls such as firewalls, anti-virus software, and security patches are no longer sufficient in and of themselves to keep organizations safe from attack. Employee education and training needs to evolve to provide the right level awareness in a format and with content that can help employees become partners in cyber security.

Find out where your company stands by completing MNP’s free Cyber Health Assessment Tool.

To find out what MNP can do for you, contact:

Ron Borsholm
B.C. Leader, Cyber Security Services
T: 778.350.3562
E: [email protected]

Insights

  • Progress

    January 27, 2023

    Building on a firm foundation: How effective retention strategies set the stage for success

    Discover why investing in employee retention is crucial to your success, and how to go about building your organization’s unique retention strategy.

  • Progress

    January 25, 2023

    When, why and how to sell your business to a private equity firm

    Partnering with private equity groups can bring unique opportunities and is an option worth exploring when considering a transition of your business. A partnership can enable business owners to build value over the transition period, maintain control of the business, and continue to drive its growth.

    Consider your exit strategy as well as the investment horizon, leverage, and control of the private equity group to determine if this type of partnership is the right fit for the transition of your business.

  • Progress

    January 24, 2023

    Plan ahead to protect your family and business from unexpected events

    Having a clear succession plan in place is essential to protect both your business and your family in the event of an unplanned emergency.