How to get employees to care about cyber security
Most employees – aside from those in a business’ IT department – care little about cyber security; after all, in the event of a data breach, it’s not the employee that’s held accountable but the business.
According to our market research report, in which we interview 500 senior IT decision makers in UK small and medium-sized businesses (SMBs), one in five (20%) senior IT managers believe that their employees do not care about cyber security.
However – it’s not that employees don’t care; it’s more that they don’t understand.
In the average SMB, employees are far removed from the IT and cyber security functions. The IT department handles everything: device security, network management, cyber security, firewalls, anti-virus, software updates – anything relating to the technology in the business is handled by IT.
At most, employees might accept a software update on their device when prompted but – if recent ransomware attacks like Petya are anything to go by – this can be quite rare.
And so, employees turn a blind eye to IT and cyber security. They do as they are told and invest little time into understanding what cyber security threats could befall the business in the event an update isn’t made or a new piece of software isn’t installed.
This kind of culture is prevalent across a number of SMBs – and it stems from SMBs not educating and involving employees (from the offset) in IT and cybersecurity issues.
So, just how can SMBs get employees to care about cyber security?
The fact is that a business’ employees are often the weakest link in the security chain – and no cyber security solution will change that. Without any understanding or appreciation of cybersecurity threats, employees will unwittingly expose the business to a damaging breach.
SMBs must start here. As cyber security solutions have become more complex and sophisticated, instead of trying to break through these security measures, cyber criminals are banking on people making mistakes.
Employees should be made aware of the cyber security solutions available and the role they play in a business’ multi-layered security strategy.
Perhaps most important of all is education and training. Regular investment in cyber security education programmes – there are a number of certified cyber security courses available – will increase employees’ understanding of cyber security, the risks of poor cyber security and how to remain protected online. It will also help employees to see how cyber security solutions come together to form a layer of protection.
In addition to education, SMBs must run regular training sessions to contextualise the theory behind cyber security education and give employees a chance to test what they know. These training sessions should be conducted at the point of an employee joining (within the first month) and then repeated on a regular basis. These sessions should be delivered by the business’ IT team (who can highlight the business’ policies in regards to security, BYOD and what to do in the event of a cyber attack) and external trainers who can help to further bolster employees’ knowledge of cyber security.
Of course, these sessions don’t need to be every week but routinely enough that everyone gets cyber security. Another valuable resource is a cyber security newsletter that highlights best practices and includes actionable tips and suggestions that employees can take away and use.
Cyber security education and training employees is one thing – but are they retaining the knowledge from the education and training sessions? One way to ensure employees are always on the ball is to conduct regular evaluation sessions. These sessions could involve question and answer activities, where employees are asked what they would do in a particular scenario, or group activities where employees have to tackle a specific cyber security issue and explain what they would do to prevent it.
These kinds of activities can add a bit of creativity and fun to cyber security, increasing the chances of employees remembering what has been said and how important it is.
Keeping employees in the loop is essential to ensuring they remain committed to cyber security. In order for it to be taken seriously, cyber security needs to be driven from the top down and the bottom up.
The chief executive officer (CEO) talking about cyber security is just too far removed from the day-to-day of an executive for example. The CEO is principally concerned about the business as a whole, whilst an executive will typically be concerned about what they have to do in the next nine hours.
However, if key employees at every level are reiterating the value and importance of cyber security and education, that message will permeate through divisions and embed itself in the minds of employees. Over time, cyber security will become part of the business’ culture as employees explain to new starters the policies and practices that the business tries to uphold.
Positive reinforcement is one of the best ways to get something to stick and prompt employees to change.
It’s far too easy for SMBs to punish employees that fail to follow simple procedures – and when it comes to embedding positive practices and cyber security education, many SMBs fall short. With this considered, businesses should opt to reward employees that follow cyber security policies and procedures correctly as this will promote positive behaviour.
As employees continue to follow the business’ cyber security procedures, other employees will follow suit and explain the benefits of doing so to others. The rewards don’t need to be extravagant but merely need to highlight the fact the business values their commitment to and appreciation of cyber security.
SMBs are exposed to a number of threats and, unlike larger organisations, are woefully underequipped to deal with them. In our market research report: Under attack: Assessing the struggle of UK SMBs against cyber criminals, we take a look at just how vulnerable UK SMBs are and if employees even care. Download our market research report by clicking the button below.
Privatise’s business VPN solution is the first internet privacy protection tool developed specifically to meet the practical needs of small and medium businesses.