Employees are considered to be the greatest assets of any organization. However, they’re also the greatest risk for an organization. History has taught us several incidents where an employee with either malicious intent or by accident leaked sensitive information from the company causing a severe impact. To manage this predicament, companies devise elaborate training plans and curriculum to make employees be aware of the do’s and don’ts. But the effectiveness of such programs is still debated. The human mind doesn’t work like a computer’s. People tend to learn selectively--anything that doesn’t interest will hardly penetrate into their heads.
Thus, not just mindless training, you need to empathize and understand how they feel. Also, bluntly holding the people responsible for any attacks will only foster the unwanted victim-blaming mentality. Security teams exist to protect information, people, and the business.
Here are some tips for helping all employees understand cyber risk and best practices.
Do the drill
The best training is to perform a drill that simulates a cyberattack and requires user interference. When the employee acts in a certain way--either leading to the breach or securing the network--there are lessons to be learned. Top organizations usually set up drill on a regular basis. If fire drill is for safety, why shouldn’t the cyberattack drill be?
Lead from the top
Before you make the rest of your employee be aware of the cybersecurity challenges, the CISO should communicate and make them understand the impact of a potential breach. For a good cyber plan, you’ve got to have the budget for hardware and software, year over year. All these require getting CFO, CIO, and CEO on board.
Don’t hesitate to perform surprise evaluations on your system to determine how vulnerable your organization is in case of an attack. You’ll never know how good or bad your security is, until you conduct evaluations at regular intervals.
You need to make the learning process continuous and highly personalized. A classroom-like teaching with a few slides and videos won’t just cut it. The process should begin right when the employee is on board and end only after the employee is let go from the organization. As the threat landscape evolves, the material should also adapt to the new challenges and make employees aware.
When an employee identified a threat and reports it, you should reward such an employee for coming out and informing it to the IT guys. IT leaders should also empathize with employees who make mistakes. Many employees send or receive hundreds of emails per day, so asking them to scrutinize each and every email can be difficult.
While these tips could certainly help the organization, education is not perfect yet. That’s the reason you need trace the ever-evolving threat landscape and adapt to it continuously.