Small business owner, Human Resources manager, IT professional: You understand the importance of cybersecurity. You know how damaging a cyberattack can be. The question is, how do you get your team members to care? Even more importantly, how do you get them to comply with the security policies you put in place?
There are no simple answers to these questions, but experts recommend the following 11 strategies for preventing and responding to cyberattacks.
1. Prepare for the worst
Many companies wait until after they suffer a cyberattack to implement a cybersecurity preparedness plan. That’s like waiting for a fire to happen to establish an evacuation plan. Don’t wait for the worst to happen before taking action. Ensure your company has a complex, proactive strategy that covers:
- Security basics
- Data security
- Password security
- Account security
- Device security
- Endpoint security
- Security policies
- Disaster protection
Depending on your organization size and type, having an internal communications plan and a PR strategy in place might also be a good idea.
2. Get top management onboard
Employees only take cybersecurity seriously when company leaders do. CEOs and managers must show a commitment to cybersecurity by:
- Funding cybersecurity prevention and training
- Setting the right example by following cybersecurity policies themselves
- Bringing up the topic of cybersecurity in meetings and events
3. Identify and provide special training to at-risk groups
Top managers are often targets of cyberattacks because they have access to more information and information that is valuable. Give them special training and ensure that they follow the same cybersecurity policies imposed on the rest of the staff.
4. Spell out employee obligations
Define the security practices that everyone needs to follow. Add them to your employee handbook. Amongst other things, employees should know how to report suspicious activity and understand the rules for using personal devices in the workplace.
5. Make rules easy to follow
6. Provide customized cybersecurity training
A study by the Institute for Homeland Security Solutions found that employees respond differently to cybersecurity policies and training depending on their personality type.
This suggests that companies should provide targeted cybersecurity training based on personality traits. That requires:
- Assessing employees’ Big Five personality traits
- Grouping employees according to personality type
- Providing targeted training based on the specific motivators of each type (e.g., extroverted individuals may not be motivated by punishments, so their training shouldn’t emphasize sanctions.)
7. Make cyber literacy initiatives ongoing
In addition to full-on training once a year, ensure that cybersecurity is routinely discussed. Consider:
- Sharing cybersecurity information, including news stories about cyberattacks and tips for staying safe, in internal communications channels (e.g., company newsletters, Basecamp, or Slack)
- Organizing Lunch and Learn events centered around cybersecurity
8. Educate new hires
Make cybersecurity education a part of your onboarding process to ensure that new employees understand the basics of cybersecurity and the behaviors expected from them.
9. Test employees’ knowledge of cybersecurity
Ensure all employees have mastered cybersecurity essentials by quizzing them. Cybersecurity may be a dry topic, but the experience of testing how much your employees know about it doesn’t have to be. Find creative ways to educate and test their knowledge. Take inspiration from Airbnb. The platform recently rolled out an enhanced cleaning protocol which includes guidelines for cleaning and sanitation. Hosts learn what to do through visually appealing resources, then take an interactive quiz on the topic. Although taking the test isn’t mandatory, those who do and pass it receive a special call-out on their listing, which makes them appear more conscientious and trustworthy to guests.
10. Reward employees for their efforts
Rewards influence both individual and group behavior. Studies show that rewards — prizes, bonuses, raises, recognition — make employees more likely to change their behaviors to improve processes. Offer rewards to employees who complete training programs, create competitions with prizes at the end. Recognize employees for doing their part in protecting the company’s assets, including when they report suspicious activities that turn out to be false alarms.
11. Make it safe for victims to share
Cyberattacks are notoriously underreported. Victims are often embarrassed or scared of what might happen to them if they speak up. Help employees feel safe reporting cyberattacks. Their experience will provide insights into how the company is being targeted.
Persuading employees that cybersecurity is important is a difficult but essential task. In addition to implementing company-wide policies, companies should use a combination of strategies to educate, train, and test employees’ knowledge of cybersecurity.
What cybersecurity strategies have worked for your company?
Make cybersecurity education a part of your onboarding process to ensure new hires understand its importance and what’s expected from them. For more onboarding tips, check out this article.