Your employees are all smart, savvy people, right? You probably wouldn’t have hired them otherwise. While this intelligence and shrewdness keeps your organization running, it can also work against you in certain situations – when it comes to cybersecurity, for example.
“That doesn’t make sense – my people have been working digitally for years – they know how to protect themselves and the company,” you might think. But Verizon’s 2018 Data Breach Report found that an average of 4% of targets in a phishing campaign will click, and that people who have clicked once are more likely to click again.
Last year, 60% of security professionals responding to the EY Global Information Security Survey ranked employee carelessness or negligence as a top threat, up from 44% in 2015. And their wariness isn’t misplaced: a 2017 report from Willis Towers Watson found 66% of all cyber insurance claims stemmed from employee negligence or malfeasance, and the FBI reported a staggering $12.5 billion lost in 2018 due to business email compromise alone.
One of the biggest problems is that people are now so comfortable working, communicating and conducting business online, they’ve become overconfident in their immunity to risk.
“Most modern workers think they know how to avoid security threats,” says Dark Reading. “We no longer have an awareness problem: Workers have heard the basics about phishing. We have a false confidence problem. Knowing about security threats is only half the battle. Employees also have to know what actions to take.”
Making sure your employees know what actions to take, and encouraging them or requiring them to do so, is primarily the responsibility of your organization. Here are five steps you can take to build and maintain a culture of true, educated, actionable cybersecurity at your organization:
- Conduct regular, relevant, updated training: We’ve all seen the dated training videos about cybersecurity risks … like leaving confidential documents sitting on a fax machine … and we’ve all laughed at them and zoned them out. It’s worth investing in personalized training that takes your organization’s policies, practices and risk factors into account. When employees feel that a trainer or training program really understands company culture and any potential threats, they’re much more likely to pay attention.
- Require password updates and security measures: Nobody likes a forced PC restart due to an antivirus software. People really don’t like being forced to choose a new 15-character password with at least one number and one special character every three months. But these measures are extremely important for maintaining protection over your organization’s information. Unique passwords (that aren’t the same as passwords your employees use for banking, shopping and accessing medical records) can help discourage breaches from occurring, and company-wide antivirus software installation and maintenance can help protect you from threats that do manage to break through.
- Start from the top: Corporate cybersecurity cannot be a ‘do as I say, not as I do’ situation. Employees need to see your organization’s leadership following best practices too. When good behavior is modeled for them and they see executives following the same policies they are told to follow, they are more likely to do so.
- Remind employees it’s about them too, not just the company: No matter how loyal your people are, the idea of a threat to their personal bank accounts or identifying information will probably encourage action better than if they think only corporate information is at risk. Remind them that because so much of our lives are lived online these days, a breach to their corporate accounts can mean increased risk to their personal accounts.
- Invest in a solution to monitor individual security breach risk: On the flipside of that, if an employee’s information is compromised elsewhere on the internet, your organization is more at risk. With Applogie’s data breach discovery feature, you can get alerted when an employee account has been compromised somewhere else online. Then you can prompt that employee to change his or her corporate password immediately, greatly reducing the chance that your own corporate systems are at risk of a breach as well.
We all think we’re smart enough to avoid security threats online, but we all get careless. The right corporate policies and solutions can help your employees shoulder less of the responsibility, and the right educational tactics and behavior modeling will encourage them to be as safe as possible with your organization’s systems and information.