Nearly 90 percent of all successful cyberattacks are caused by human error, yet most companies focus their attention on technology fixes instead of influencing employee behavior. That’s a mistake that’s costing companies time and money against the growing threats to information security, according to Sonja Popp-Stahly and Aaron Pritz.
In a recent Shoff Chat, they shared their experiences in information security and advised that building a security mindset among employees is the most effective weapon against cybersecurity threats.
During major challenges such as the COVID-19 pandemic, criminals are working overtime to use fear and opportunity to hack systems and steal valuable information. Pritz explained that cyberattacks are getting worse as companies have increased work from home arrangements and scrambled to create new policies and systems, making them more vulnerable than ever. Additionally, the increased use of personal devices and the need to share or store information in the cloud has brought more opportunity for error that criminals are using to their advantage.
“You can’t block everything that’s bad, and that’s why educating employees is critical,” Pritz said. “They are the first and last line of defense.”
October is Cybersecurity Awareness Month, and it’s a perfect time to introduce or reinforce to employees that they are the critical link to keeping customer and company information safe and secure. For companies looking to educate employees, Pritz and Popp-Stahly offered the following key takeaways:
- Make it personal. Educate employees on how to keep themselves and their families safe online. When employees recognize the personal benefit, they’ll be more likely to carry proper security practices into the workplace, which also builds goodwill when getting employees’ attention on security topics.
- Provide real-life examples of security breaches, especially those that have happened in your own company or similar industries. It may feel uncomfortable to show these examples but giving employees relatable examples will help them understand the true impact of their actions.
- Get creative. Don’t just lecture or train employees on security threats. Gamify the experience so that it’s memorable. Online scavenger hunts, virtual escape room experiences and other tactics can make learning about and retaining security practices easier and fun. You can also influence behavior by creating security champions who can educate and assist their peers across the organization.
- Recognize that security is everyone’s job, not just an IT function. Don’t spend all of your security budget and activity on phishing programs. Create a diverse and balanced program that engages employees in a fuller picture of security threats and solutions.
- Understand the data you’re handling. Consider classifying data based on sensitivity, then develop policies and procedures that protect the most sensitive data first.
“Whatever you do, be sure to have a focus,” says Popp-Stahly. “There are a lot of competing topics being communicated to employees. You don’t want to confuse them by sharing too much information.”
The National Cybersecurity Alliance offers resources for small and medium-sized businesses who want to learn more about cybersecurity education.
Are you interested in finding a cybersecurity communications partner? Contact Stacy Sarault to learn more about Borshoff’s capabilities.
Want to learn more about Shoff Chats? Check out other episodes here.