During key cybersecurity events like Data Privacy Day in January and Cybersecurity Awareness Month throughout October, strong security behavior and best practices become top of mind. But how can you get employees to care about security year-round?
The key to engaging your employees around cybersecurity is to make security a habit, an everyday part of your organization’s life. Just like any other habit, it’s about small, continuous shifts that add up to a big impact.
For security leaders, the tools and communications you introduce can help facilitate a behavioral shift and gently remind employees to be mindful of security in a fast-paced workplace. Here are several ways to spark conversations and continual security awareness among your teams:
Explain breaches in the news.
Large-scale data breaches are, unfortunately, occurring with increasing frequency, and with increasing magnitude. Incidents impacting large enterprises quickly become big headlines, with ransomware and data breach incidents coming to light at a steady pace. Use these incidents as an opportunity to educate and engage. Help your employees understand what these breaches mean, what happened, and what they can do to help your organization remain secure in an increasingly sophisticated and challenging threat landscape. Show them the kinds of threats to watch out for, and remind them of the importance of each individual’s actions.
To get employees to care about security, the gap between work and home.
Demonstrate how best practices at work can translate to best practices at home. No one wants to have their identity stolen. No one wants to see their bank account suddenly emptied. Show employees that the consequences of ransomware, weak passwords, and unsecured data sharing can have a big impact on their own personal life, as well as the future of the organization. The National Cybersecurity Alliance demonstrates several ways that individuals can secure their online life. This should help put security into perspective and demonstrate that it’s not just the IT team’s job, and it’s not just something to be mindful of at work. It should be part of every interaction with technology—from computers to phones and IoT devices—both at work and at home.
Make security easy for the end user.
If employees aren’t empowered with easy-to-use tools and methods to protect the data they’re sharing, they simply won’t protect it. Anything too cumbersome or difficult will fall to the wayside, because people want to efficiently get their jobs done. This means sensitive data may flow outside your organization unprotected and fall into the wrong hands. By providing simple tools that fit into employees’ natural workflows — such as end-to-end email and file encryption, security alerts for emails containing sensitive data, and the ability to quickly report phishing attempts — you can ensure that security becomes part of the habit.
Highlight the “security heroes” of your organization.
On a monthly or quarterly basis, highlight your security heroes — whether it’s someone on your business technology team or an end user that’s doing a great job protecting the organization’s sensitive data. This can be a chance to highlight and recognize positive behaviors like reporting suspected phishing or aligning with your team on a certain type of data that needs to be better protected.
Share your IT team’s wins.
Whether it’s applying a critical patch, developing new workflows, or modernizing part of your technology stack. Use this as an opportunity to educate the enterprise about the important work being done in your department, so they don’t take it for granted.
“Ask Me Anything.”
Make yourself open to answer employees’ questions, and send out a technology Q&A email once a quarter. Answer questions like, “What password manager should I use?” and “Do I really need multi-factor authentication?”
Think about ways to engage teams cross-functionally. You could do a data management assessment to determine what types of sensitive data each department manages. You could create a task force to prevent insider threats, including representatives across the organization. An employee who advocates for strong security practices can not only make a positive impact, but they can also provide you with recommendations based on their day-to-day observations. If certain platforms are too clunky to use, or if people are growing weary of certain security messaging, they can let you know.
Continue the momentum.
Once you’ve cultivated employee engagement around the subject of security, harness that power and maintain it throughout the year. While your required employee security training may come up every few months, you should aim to communicate at least on a monthly basis with your teams to ensure that security remains top of mind and becomes a truly ingrained part of the culture of your company.
After all, security builds trust: An organization that demonstrates a commitment to safely managing employee and customer data will strengthen loyalty. Embracing cybersecurity and mindful management of sensitive data will protect your organization’s integrity and even give you a competitive edge.
For more tips and recommendations on fostering a strong culture around cybersecurity, download Virtru’s guide, The Empowered Employee: How to Positively Govern and Influence Security Behavior in a Zero Trust World.