How do you get employees to take cybersecurity seriously? Establishing even the most comprehensive cybersecurity policies won’t guarantee that employees will actually apply those policies in their day-to-day habits.
No one wants to be that employee who mistakenly clicks on the attachment that creates a huge data breach. But even if you make the cybersecurity policy required reading for employees, skimming a list of musts and must nots won’t necessarily make those guidelines second nature.
The good news is that most people will see through the usual Nigerian prince email scam. On the other hand, phishing is becoming more and more sophisticated. Even if employees know to be skeptical of unknown senders, when they’re scrolling through their inbox in a hurry, it’s all too easy to click before they notice something’s not quite right. (One study with 6,500 employees reported that over 500 of them clicked on a phishing email in less than a second.)
Training at regular intervals will help educate employees on cyber risk but, over time, bad habits can creep back in. On the spectrum from high security to greater usability, it’s human nature to favor behaviors that make things easier. Weak passwords, for instance, are so prevalent because they’re easy to remember — which, of course, also makes them easy to guess.
Beyond training, internal communications can be your most effective means of engaging employees in cybersecurity. By weaving cyber risk messaging throughout your regular employee communication channels — from the intranet to newsletters to videos to digital signage — you can keep it top of mind.
Consider these communications approaches to engage your employees in cybersecurity:
1. Show possible scenarios. Telling employees not to click on phishing scams doesn’t help when they don’t recognize the phishing scam. Giving examples of actual or hypothetical phishing emails can help engage employees’ skepticism.
2. Test their knowledge. Test employees’ cyber-savvy with quizzes or contests. For one company, we created a true-false campaign on digital signage. The first slide showed a statement that sounded plausible, whether true or not. The following slide confirmed whether it was true or false and added a friendly reminder of what to look for.
3. Use humor. Cybersecurity is serious business, but sometimes it’s easier to get employees’ attention with humor. For another company, we developed a fictional cybersecurity advice columnist who gave witty responses to questions about policy. Human error is what we’re trying to avoid, and we can engage employees in being more careful by showing the funny side of that — like the cyber version of someone slipping on a banana peel.
4. Try recognition. If you measure employee compliance in any way, call attention to the employees who are model citizens of cybersecurity. That could be the top scorer in an employee cyber-risk contest or a standout at each training session. The recognition can be minimal, like giving the winners a shoutout at the end of the training class, or more visible, such as the CEO or CTO announcing each quarter’s cybersecurity stars at the town hall.
5. Keep talking. Like any important internal messaging, you have to sustain the communications. Rather than using a firehose approach that blasts employees with cybersecurity policies as a one-and-done campaign, keep up a steady drip of communications throughout the year — not just when it’s time for compliance training.
Despite an ironclad cybersecurity policy, and regardless of everything your IT team puts in place to protect the company, one of the greatest threats will remain employee error. Equip your people with the knowledge they need to avoid cyber risk, and then keep awareness high with ongoing internal communications.