If you ask any infosec expert what causes most incidents, the answer will almost certainly be the human factor. Most attacks on companies succeed because of employees’ inattention, ignorance and mistakes. At the same time, the human factor is the hardest threat to eliminate, because you’re dealing not with obedient information systems, but living, breathing people.
Our tips often include communicating some information to employees. But this is easier said than done. So today, we’ll talk about how to get employees to take cybersecurity more seriously and heed the advice of security specialists.
Why employees ignore cybersecurity
The problem is that cybersecurity isn’t a priority issue for most company staff. They have their own job to do, and may simply not have the time for what they see as secondary matters. Therefore, it’s important to realize and accept two facts.
First: for a typical employee, information security is a secondary issue. So don’t expect an email about the dangers of reusing passwords to cause an avalanche of password changes, or a memo about downloading dubious attachments to stop the practice dead in its tracks.
Second: be aware that employees for whom cybersecurity is not at the forefront of their mind might not (or probably won’t) understand what you’re talking about. For a security pro, phrases like “targeted attack using spear phishing” don’t contain any complex information. But to the regular employee in sales, accounts or logistics, you might as well be speaking Klingon.
These two facts together often lead infosec experts to the conclusion that the task is unsolvable, so they give up and limit themselves to security measures that relate solely to hardware and software. But this is of course not just wrong but dangerous. The question arises: how to get through to employees?
Cybersecurity + communications = ❤️
The good news is that your company most likely already has all the ingredients in place to establish good communications about information security. You probably have security experts who understand threats and how to stop them. And you likely have communication experts — usually found in HR or, even better, in the internal communications department (if you have one).
Be prepared that at first it won’t be easy: such experts are unlikely to be well-versed in cybersecurity, and probably won’t be burning with desire to delve into the details. But don’t give up: you need to find among them the most suitable candidate for, so to speak, evangelism.
Ideally, it should be an already tech-savvy person. If there’s no one in-house, try hiring a new employee who knows internal communications and has a technical background. Such people are rare, but you may get lucky.
When you find them, first, upgrade their cybersecurity skills — teach them to look at the world through the prism of information security. Our interactive Kaspersky Automated Security Awareness Platform is just what you need — it even provides a free trial training.
The essential ingredient of the entire undertaking is trust. IT guys in general, and infosec pros in particular, are notoriously control freaks. So here they’ll have to tame their instincts and let the communication experts do their job where it relates to communication with employees.
Where to start
The internal communications department (if none exists, then HR) will usually have a good idea of which employees do what and how. Therefore, if you outline the general range of threats in a way that your counterpart can understand, they should be able to develop the appropriate communications strategy — that is, determine what risks certain departments are exposed to, and what to explain to employees in specific fields as a priority.
Another useful thing that you and your new ally can do is to create an easy-to-read information security guide for new employees.
Don’t expect instant success. Overcoming the misunderstanding phase will be a challenge. I highly recommend listening to this informative talk by former NYPD Cyber Intelligence and Investigations chief Nick Selby about raising awareness of cybersecurity among NYPD officers (spoiler: it wasn’t easy). I’ll share some of his tips about how to organize the process:
- Keep it simple. At the heart of the NYPD campaign were simplicity and specificity, which helped a lot.
- Empower people. It’s important to have well-oiled communications on security issues in the team, and for employees to understand what actions to take in a particular case. This is so that our aforementioned salesperson or other regular employee knows who to go to with a suspicious email, thereby preventing a hack of the company.
- Show results. It’s a good idea to show how working together produces a positive result. For example, from time to time you can email out an internal memo about attacks that were prevented, and reward employees who helped in this.
Again, a series of interactive trainings can be a good starting point to instill in employees cybersecurity’s importance, to give them advice and recommendations, and to raise awareness of security requirements and restrictions.
As said above, our Kaspersky Automated Security Awareness Platform is the perfect solution. Your new corporate communications ally can act as administrator of these trainings, and use them to scale up awareness of threats and protection practices throughout the company.