Make employees your best firewall, not the weakest link in your cybersecurity chain

Our recent HFS Pulse Study revealed that cybersecurity is the number one area for deploying emerging technologies. Almost 40% of respondents have implemented emerging technologies at scale across the enterprise and plan to increase their investments significantly over the next 12 to 18 months.

While we can celebrate enterprises’ focus on cybersecurity, it does not appear to be enough. It is high time for CISOs, IT leaders, and business leaders to address the elephant in the room. Sorry I meant the human in the room.

While the focus on security is high, it’s still not enough

Latest data from the UK’s Information Commissioner’s Office revealed that human error caused 90% of breaches. Enterprises are aware of the “human” problem, but they keep trying to solve it by deploying more and more advanced technologies.

The accelerated deployment of technology is not the answer to enhancing cyber-awareness and engagement of your employees. Enterprises must seriously invest in a more people-centric approach.

Stop demonizing employees, and start recognizing good behaviors

Positive reinforcement repeated at scale institutionalizes good practices, and ultimately good practices become the culture. Enterprises should stop scaring employees about cybersecurity for an obvious reason: it makes them uninterested in security.

The UK National Cyber Security Centre highly recommends that organizations focus on positive messages around what staff can do to help rather than just the consequences of doing something they shouldn’t. An employee successfully passing three phishing tests in a row is a great achievement that deserves recognition and acknowledgment.

Some enterprises adopt a positive social reward approach by publicly recognizing or rewarding employees who demonstrated good behaviors. Recognition could be as simple as sharing cases of employees doing the right thing via newsletters or other corporate communication channels. Employees could also earn monetary incentives?for repeated good behaviour, which could be anything from gift certificates to cash recognition awards.

Senior executives must lead by example and cannot delegate such responsibility

Senior executives firmly believe that cyber security is critical, with more than four out of five CEOs saying it is high on their agenda, but somehow many employees still perceive that they are not leading by example.

Many senior executives do not take time to understand security, or they simply ignore inconvenient security protocols they perceive hinder their productivity.

When leaders just talk the talk, it’s unrealistic to expect employees to walk the walk. Converting senior managers into cyber security evangelists should be high on the agenda, and the effectiveness of their cyber-aware attitude should be measured by independent risk and compliance functions.

An engaging “Beat the hacker” challenge is certainly more appealing than a mandatory “Click the next button” exercise

When it comes to evaluating the effectiveness of cybersecurity training campaigns, the measure of success for most organizations is one magic number—100% completion, on time. Security training typically comprises tick-the-box and point-in-time orchestrated assignments with one key objective: to meet compliance requirements. This mindset, unfortunately, gives enterprises a false sense of confidence that employees are adequately trained.

Innovative programs to drive employee engagement with security can be crucial

The old compliance-driven model directed at overloaded employees still appears to be the norm. Enterprises must invest in more innovative ways to engage with employees and ensure their skills evolve to respond effectively to increasingly sophisticated attacks.

Boosting cyber security awareness training with gamification or game-based learning is becoming a powerful way to continuously foster security-centric behaviour.

CISOs must communicate more effectively to impact user communities

We can summarize the communication approach many enterprises take with three words: exclusive, generic, infrequent.

An approach is exclusive when most cybersecurity communications are generally targeted and crafted for one specific group: the IT user community. Cyber security is far from being an IT-only problem; it is a business resilience problem. Technical and intimidating jargon makes it very difficult for any business user to understand and interpret essential messages.

One-size-fits-all messages will certainly not achieve the intended objective, and CISOs need to be specific to communicate effectively. Stakeholder-centric communications combined with storytelling techniques make cybersecurity relatable to more communities of people.

Infrequent communications allow information to become stale, doing very little to reinforce cyber security messages. It is crucial to ensure consistent and frequent communications to staff to remind them of best practices and share the latest trends. But it is also essential to find the right balance between frequency of communications and quality of messages.

The Bottom Line: It does not take too much effort to reinvigorate your cybersecurity culture. Start now!

Senior executives must demonstrate on a day-to-day basis what good cyber security hygiene looks like. Enterprises must put employees at the centre of cybersecurity with personalized engagement, giving employees innovative methods to continuously learn, and recognizing good behaviors.