abstract planet with electric lights coming from it

How to Build an Effective Cyber Security Employee Awareness Program

How to Build an Effective Cyber Security Employee Awareness Program

Synopsis
6 Minute Read

With the proper education and awareness training, employees can be deployed as the best defense against cyber attacks. The current approach to training requires an overhaul to deal with today’s new wave of attacks.

Insight
Insight

According to the 2017 Cyberthreat Defense Report by CyberEdge Group, a lack of security awareness among employees is “the greatest inhibitor to defending against cyber threats.” A recent Verizon report found that in 60 percent of breach cases, attackers were able to compromise an organization within minutes. As businesses navigate a growing landscape of cyber threats, coaching appropriate employee behaviour will continue to be a critical risk management measure.

With the proper education and awareness training, employees can be deployed as the best defense against cyber attacks. The current approach to training requires an overhaul to deal with today’s new wave of attacks.

Taking a Non-Traditional Approach to Training

Workplace security training traditionally involves mandating employees complete learning modules complete with testing that involves answering multiple-choice questions. The training reinforced through executive communications and reminders any time a breach occurs.

For employees pressured to achieve higher results with fewer resources, security training becomes both burden and a distraction. Although the training content may be comprehensive and include all the necessary instructions to put a strong security policy in place, the messages aren’t resonating with the people who need to enact them. Instead security fatigue may be leading employees to push the information aside, dismissing threats as an “IT problem.”

Make It Personal

While the modern workplace has become focused on digital assets and connectivity, many employees have developed digital workarounds which are contributing to the problem. Even millennials, who were raised in the digital world and are aware of the need for strong cyber security habits, are not immune to taking shortcuts at the expense of proper protocols.

Introducing awareness programs that relate their security practices in the workplaces to a benefit in their personal lives may be an effective way to increase employee engagement and compliance. Demonstrating how creating strong, secure passwords or avoiding unsolicited links can protect their personal assets can transform how employees view policies they may have dismissed as unimportant or overly cautious.

Make Training Engaging

Although the content of the training modules are professionally developed, the information and delivery may not be engaging. Employees may walk away without absorbing enough knowledge to know how to recognize and avoid a security breach. Instead, companies must look for ways to increase engagement by integrating security awareness into the company’s culture.

One approach to increasing security awareness involves running a phishing exercise to reveal how many employees would click on malicious link sent by email. When the results are reported back to employees, they have a tangible example of how their actions are linked to a potential security breach. The exercise should be followed by a comprehensive and engaging awareness campaign. The expectation is that when the phishing exercise is repeated, the results should show a significant improvement.

Encourage Rather Than Penalize

Another unfortunate traditional approach to security training involves penalizing employees with threats of discipline or dismissal for security breaches. While this approach is intended to discourage malicious intentions, it may unintentionally deliver a message that mistakes will not be tolerated.

By most estimates, only 20 percent of employee-at-fault security breaches occur due to malice on the part of the offending employee. The vast majority of security issues happen because of a lack of attention or awareness. With the threat of discipline or dismissal looming in their minds, employees may be hesitant to report security breaches.

When IT and security departments react to reports with encouragement rather than interrogations, employees become part of the solution. The benefits are two-fold. Security has the information they need to identify a breach and fix the problem. The employee is more likely to notify IT or security if they suspect a problem.

Changing the Way of Doing Business

Traditional approaches to cyber security have shifted substantially as old controls such as firewalls, anti-virus software, and security patches are no longer sufficient in and of themselves to keep organizations safe from attack. Employee education and training needs to evolve to provide the right level awareness in a format and with content that can help employees become partners in cyber security.

Find out where your company stands by completing MNP’s free Cyber Health Assessment Tool.

To find out what MNP can do for you, contact:

Ron Borsholm
B.C. Leader, Cyber Security Services
T: 778.350.3562
E: [email protected]

Insights

  • Progress

    November 21, 2024

    Strategic reinvestment: Unlocking resources for municipal priorities without raising taxes

    Learn how municipalities can unlock vital resources, cut through red tape, and strategically reinvest in key priorities without increasing taxes.

  • Performance

    November 21, 2024

    Highlights from Quebec’s fall economic update

    View a summary of MNP’s highlights from the 2024 Quebec fall economic outlook.

  • Confidence

    November 21, 2024

    FAQ: Canada’s new luxury tax and dealerships

    There are many questions dealerships have about how Canada’s new Select Luxury Items Tax Act will impact their business. MNP has responded to the most common ones here, to help you adjust to and comply with the new legislation.