The figures aren’t encouraging: Recent reports have concluded that most employees don’t know much about cybersecurity best practices.
The third-annual State of Privacy and Security Awareness Report, released by security education and training firm MediaPRO in 2018, found that 75% of the 1,024 U.S. employees surveyed lack cyber awareness.
Mimecast also reported similar findings. The company, which specializes in cloud-based email management, commissioned Google Consumer Research to survey 1,000 employees across various sectors and found that some 25% of them were unaware of the most common cybersecurity threats, such as phishing and ransomware attacks.
Furthermore, Mimecast found that about half of those surveyed said their employers did not have mandatory cybersecurity training, with 10% saying their employers had optional training and some 10% saying they only received formal cybersecurity training during their onboarding process.
Given those statistics, it’s no wonder that cybersecurity experts still consider humans to be the weakest link in the security layers meant to safeguard an organization’s systems and the data they contain.
That stance may be no mystery. But there’s something that has long puzzled many security chiefs: How to get more workers to care about security and be more actively engaged in protecting their organizations.
Experts say there are, indeed, strategies that CISOs can pursue to better market the security message and mobilize employees to join with their security mission – strategies that go to supporting, enabling and empowering workers vs. scaring them with tales of cyber doom and gloom.
“It’s about winning people’s hearts and minds, giving them a reason to care. It’s about helping people understand what’s in it for them,” says Joe Nocera, a principal in PwC’s Cybersecurity & Privacy practice. “CISOs who say what people shouldn’t do aren’t good at helping drive change and build support. And selling on fear, uncertainty and doubt don’t build support for the security program. CISOs need to communicate how security helps the business.”
To better market the value of security and win converts over to the cause, here are eight proven strategies that can get the job done:
Keep it short
Tony Velleca, CISO at IT services and solution firm UST Global, says long classes on security protocols would burden workers at his company, who are busy enough with their day-to-day tasks. So he moved away from full-scale training sessions to short bursts of targeted learning. Now he launches unannounced simulation scams, such as phishing attacks, every month, creating phony campaigns tailored to trick employees based on their job roles. “We make it look like something very real, so we’ve gotten more sophisticated,” he explains. If someone falls for it, the worker is alerted right away and offered a brief on-the-spot refresher course on security protocols (with the option to watch later). That short-and-sweet approach gets the point across without generating employee resentment against the security team for taking up too much of their time.
Make it personal
Security chiefs who want to win over workers need to connect with employees as individuals, showing them how following security steps can help them in their own specific jobs and in their own private lives. “The more that you can personalize the experience, the better. If you make it real for them and show them how it impacts them or their ability to do their job, then they understand what’s in it for them and why they should care about it,” Nocera says. That could mean teaching workers how to keep their kids safe online as well as how to securely handle client data while in the office. Velleca adds: “That turns it around from security being the bad guys to being the ones seen as helping.”
Identify ambassadors
Lear Corp., a maker of automotive seating and electrical systems with 161,000-plus employees, gets its security message out via posters, videos, podcasts, articles, digital signage and interactive lessons, often leveraging Yammer to tap into the company’s active community that uses that platform.
But CISO Earl Duby doesn’t stop there. He and his security team created a Security Awareness Ambassador program in June 2017, using the program to distribute educational material and recognize workers who exemplify security awareness or best practices with “challenge coins.”
“At the time, the whole world was concerned with preventing impact from the WannaCry ransomware virus. We saw the opportunity to rebrand Information Security as something that everyone should take home with them. We wanted to get the message across that the fight against cyber-threats unites and involves everyone – it’s not just about Lear, or any individual company. Most importantly, we wanted to cast Information Security as a people problem not a technology problem, and focus more on the people of Lear and how to give them the tools they need to fight back against cyber criminals (which we often refer to as cyber bullies),” Duby says.
Enlist other executives
When it comes to marketing the security message, Bryan Willett doesn’t see the need to go it alone. Willett, CISO at Lexmark, a global imaging solutions company, says he has worked to ensure that his C-suite colleagues are onboard with the company’s security policies and procedures so that they’ll help sell the security message to their own teams. “I have to have the CEO and all the business leaders aligned with the security mission, so I can have their help in their area meetings or the all-employee meetings, to reiterate the focus on security and privacy. If I don’t have that leadership involved in helping to spread the mission and the goals, then I can talk all I want and it won’t hit home,” he says.
Show the value
Lexmark’s customers value security in its business partners, so much so that many customers ask for information on Lexmark’s security strategies. As such, Willett says he knows that a strong security program has business value, and he’s not shy about calculating and articulating that value when discussing existing security requirements or new initiatives. “Security has been a top concern for our customers for a long time, and our senior leadership knows that. They know we want to take the necessary security steps so that our customers have confidence in the products we’re delivering,” he says, adding that framing security in terms of that business value helped him build support for various security investments, including ISO certifications.
Be responsive
Willett’s security infrastructure sends up alerts about potential threats, as security systems in most organizations do. But unlike some security departments, Willett’s team focuses on reacting quickly to the technology risk as well as responding to the employees involved in the incident. “We have scripts that go out to employees when we see something happening. We give them actions to take now and also give them more information on background – such as how this could have occurred and what steps they could take to keep it from happening again,” Willett explains, saying that he thinks of this outreach as “situational coaching.” Willett says the outreach information is sent via email for more routine incidents, with security staff reaching out personally for more complex issues. Either way, that outreach helps position the security function as a helpful one. “The information tries to educate them at the point in time when the events occurred. It’s effective and employees appreciate the guidance,” Willett says.
Build good will
“Your job as a security officer is to make as easy as possible to do business with you,” says Jason Taule, vice president of standards and CISO for HITRUST and former CISO for FEI, CSC, General Dynamics and more. He and other cybersecurity leaders agree that CISOs who want to generate good vibes about security within their organization need to earn that good will – not only by promoting security awareness but by working with the business and enabling their business colleagues to do their jobs securely without having to jump through hoops. As the old saying goes, the best advertisement is a satisfied customer.
Empower employees
Duby says his security team tracks the effectiveness of its security awareness efforts in part by watching the amount of engagement they see throughout the company’s workforce. For example, they look at activity within their Yammer group and monitor how many people share awareness efforts. They also track the volume of workers self-reporting security issues, recognizing that the more people report their suspicions, the more aware they are and see security as a partner in the process. Lear also has a Security Awareness Month, with events and activities planned over the four weeks; October 2019 will mark the company’s third annual Security Awareness Month.
Duby says this month-long event, the security team’s ongoing education and outreach efforts, and his department’s work to recognize workers for being security minded all go to empowering employees. And that sense of empowerment helps workers see security in a positive light. “Our program offers people a sense of individual opportunity, not just to win a coin or protect a company, but to participate in an incredibly important fight to protect people from cyber-attacks,” Duby says. “The program champions a mission that is more inspiring than policies ever could be.”