Building a cyber-aware culture should be a part of a long-term IT security strategy – in any company. In reality, however, companies often do not go beyond some form of basic cybersecurity training for employees. Sure, it is not possible to build such a culture in a day. But where should you start?
The success of cybersecurity measures in a company depends not only on IT security experts or IT admins, but also on each individual who has access to company IT systems – from the CEO to employees, but also interns and external collaborators. Put briefly, each one of us is responsible for the company’s data protection to some extent.
Try to think of a cyber-aware culture as a thing that arises from the cooperation of all the people in the organisation. Everyone can do something to make it better.
If you are responsible for IT security in your organisation, this is a way to ensure that people across the company understand the importance of safe online behavior and proper handling of corporate devices.
1) Make sure everyone knows the dos and don’ts
This is not as simple as it sounds. In every company, you will find employees who ignore the computer software´s prompts to update, or those who do not care what applications they download to their company devices. They might do so because they don’t know specific apps can cause harm, or simply because they are too busy to give it a thought, and they rely on the IT department to handle all these issues and risks.
Companies vary in their policies in terms of how many restrictions or freedoms each employee has when handling their electronic devices. Nevertheless, the best way to prevent incidents is to explain the risks and how to avoid them to all employees at the outset. On the other hand, make sure you have provided clear guidance on how to act in case something does happen. Make sure employees know what to do and who to notify.
2) Invest time in quality training, in cooperation with experts from other fields
As experienced IT experts, you probably know the technical nature of cyberattacks, as well as the situations in which such incidents occur. But that is not enough for really good training. “The key is to find someone who can deliver information to employees in a clear and interesting way,” says Daniel Chromek, ESET chief information security officer, in an interview on building a cyber-aware culture.
Setting up a formal cybersecurity training program in your company is definitely a good start. If you want to be sure your audience will listen to you, you need to take a few more steps. Involve experts in pedagogy, psychology and graphics in the training, who will help you pass on key information in both impressive and fun ways.
Psychologists or experienced coaches can add interesting elements to the training – for example, their knowledge of the work of social psychologists can help them understand the ways that technology affects social interaction, attitudes and behavior. Social engineering works with fear, time pressure and blackmail; therefore, it is good to understand these contexts as well.
Which personality type tends to click on phishing links? Read Cyberchology: The Human Element of Cybersecurity
3) Use incidents as examples to illustrate the damage a cyberattack can cause
If a cybersecurity incident occurs at your place of employment, use it as a tool to further educate both employees and managers. By bringing these events up, you can significantly improve cybersecurity awareness throughout an organization. It allows you to illustrate how a cyberattack may look today, why it is so effective and what the possible consequences are.
One way to communicate this could be via a corporate newsletter. But if your colleagues are used to communicating through another channel like MS Teams or Slack, take advantage of that.
4) Monitor cybercrime trends
One of the roles of IT managers is to keep up with cybersecurity events. Because cyberattacks are constantly evolving, you should follow the latest news and trends.
The easy way to do that is building a habit of regularly checking a respectable professional platform, such as ESET´s blog WeLiveSecurity, that warns against new types of cyberattacks and provides tips on protection.
If something really significant is on the news, let all the employees know about it, too. Just be reasonable with the frequency and importance of these alerts – otherwise, your colleagues will quickly stop reading them.
5) Test everyone’s cybersecurity awareness
There are many ways to do this, but they should be based on the concept of long-term training, which reflects current cybersecurity issues.
If you are – like many others – still at the beginning of building your company’s cyber-aware culture, it doesn't matter. Consider the following sample of questions with which you can educate your colleagues. You can adapt the questions or add your own. You might even offer a symbolic prize for the participants! This quiz may help you to highlight gaps in security awareness in your company and evaluate what needs to be addressed in your next steps.