• United States




How managers can best communicate the importance of cybersecurity to employees

Mar 09, 20185 mins
Data and Information SecurityIT LeadershipIT Skills

We must challenge ourselves to think differently about how and what we’re communicating if we want to be successful in making security a priority for our employees.

Man framing with hands in front of face to focus
Credit: Thinkstock

A recent Kaspersky Lab survey of nearly 8,000 full-time employees found that 12% claim to be fully aware of their organization’s IT security policies and rules.

Based on this finding, it sounds like current communication tactics aren’t making much of an impact today. More communication is part of the answer. But, as the old saying goes, repeatedly doing the same thing and expecting different outcomes…well, it isn’t a rational approach. A combination of more – and different – communication is the answer.

When it comes to communications in general, I’m a member of the ‘repetition-is-effective-communication’ camp. People need to hear a message multiple times to make it stick.  However, I think we must challenge ourselves to think differently about how and what we’re communicating if we want to be successful in making security a priority for our employees.

Start communicating on Day 1

Employees are keen to start on the right foot and onboarding is a time when they’re uniquely receptive and eager to do the right thing. Make security a key element of onboarding tasks with a three-part approach:

  • A basic introduction from your IT/security team about corporate security policies that covers on-premise and remote access to resources, BYOD and bring your own software (BYOS) use, use of cloud applications and storage, and similar topics.
  • An interactive elearning course on security awareness that addresses password hygiene, phishing and spear phishing scams, and physical office security. The course should incorporate knowledge checks to confirm comprehension.
  • A discussion between the manager and new employee that covers sensitive data (like customer information and intellectual property) and non-disclosure agreements. Most importantly, this discussion should clearly identify the types of sensitive data the new employee will have access to and the ramifications if this data is lost.

Use powerful analogies

Analogies matter,” John Pollock, author of Shortcut: How Analogies Reveal Connections, Spark Innovation, and Sell our Greatest Ideas, says. “The analogies we use have a big impact on outcomes, both positive and negative.”

Bruce Hallas, who founded The Analogies Project, is a believer in the power of useful security analogies. He describes trying to relay the importance of backups to librarians and how an analogy came to the rescue by grabbing attention and motivating the librarians to care:

 “The Library of Alexandria …was one of the great wonders of the ancient world, and all was lost because the library didn’t have backups. Jaws dropped open. The librarians got it. That’s the power of analogy.”

Show, don’t tell

Whenever you have the opportunity to demonstrate instead of talking, take it. Trying to impress upon your software developers the importance of secure AWS buckets? Demonstrate how you could create an insecure bucket, and then show how easy it is for anyone to gain access. Looking to describe spear phishing? Show an example or, better yet, have a team member share how they were targeted.

Use multiple communication methods

Combine repeated messages with unique delivery methods. Your communication portfolio should include elearning courses, simulated phishing scams, simulated physical social engineering drills to test in-office security, email updates, and lunch-and-learn sessions.

Tailor information to the role

One of the golden rules for communicators is ‘know your audience’. An email phishing scam targeted at an accounts receivable clerk might look quite different than one aimed at your CTO’s assistant. Similarly, your software developers are more likely than your AR clerk to need reminders regarding cloud storage security. Take time to assess the unique job requirements and associated risk, and then deliver corresponding communications.

Connect security at work to security at home

If you have the opportunity to provide resources or tools that will help an employee’s security at home, this is a great way to reinforce the message and increase message relevance.

Highlight the behaviors of role models

Employees will model the behavior of respected coworkers. Tap into role models in your organization and have them share what they do to maintain a security-first mindset.

Take advantage of the experts

Acknowledge that the top communicators in your organization may reside outside of the IT team. Who are the recognized ‘great communicators’ in your organization, and how might you enlist these individuals to relay security messages? Partnering with other departments like HR and marketing is a good way to gain insight into the employee base and bring creativity to your messaging.

Celebrate the successes

Finally, I think it’s necessary to acknowledge the bad-news fatigue that has set in because of the many recent security incidents. Today, it’s easy to become fatalistic and believe that an attack or data breach is inevitable and attempts at prevention are futile. Your IT team knows this is not the case, and they have the data to prove attacks are regularly thwarted. When an employee skips the bait in a phishing email and reports the attempted attack, share the success. When your team is able to overcome a ransomware attempt with a segregated backup copy, share the success. Good-news messaging should be in your communications portfolio as well.


Isaac Kohen started his career in quantitative finance developing complex trading algorithms for a major Wall Street hedge fund. During his tenure at Wall Street and his subsequent experience securing highly sensitive data for large multi-national conglomerates, he identified the market need for a comprehensive insider threat and data loss prevention solution. And so, Teramind was born.

The opinions expressed in this blog are those of Isaac Kohen and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.