Selling Cyber Awareness to your workforce
My favourite aspect of cyber security is the human element because an increase in cyber awareness pays the highest dividends over time, in comparison to any technical control. When embarking on a cyber awareness journey with employees, we are in a unique but advantageous position since employees can use what they learn both at work and at home. Covid-19 greatly blurred the lines between home and work as now many employees regularly work away from corporate buildings and internet connections in their chosen environment. This presents new challenges but also opportunities as we can simultaneously push cyber awareness for the home and the office as a result.
Despite this, when building a cyber awareness culture within your workforce can be very challenging, meeting resistance from employees as they struggle to understand what’s in it for them. So, how do we sell cyber security to the workforce?
It’s not just at work
Social engineering gathered great momentum during the pandemic, both at work and at home. Social Engineering is an online and offline technique used to trick users into compromising their security, divulging sensitive information or parting with funds. For example, phishing, impersonation of a person/company or pharming with the aim of obtaining sensitive information. Many employees were busy balancing work with home schooling responsibilities which naturally meant many of our guards were down. There was a huge uptick in phishing scams related to accounts such as Disney+, Netflix and Amazon.
Social Engineering Attacks to look out for - Here
During this time, I increased the number of phishing simulations sent via email to employees with the intent of demonstrating how easy it was to click, following up with phishing-specific training and weekly newsletters showing case studies of similar phishing attacks mainly related to accounts. By making it related to accounts that many employees had it really drove the point home that social engineering is everywhere and they must be vigilant. This was effective in engaging employees with the cyber awareness programme at the company and increasing participation, many employees completed training modules alongside their families as they understood exactly how it could help them out away from work. More importantly, it built a culture where employees felt comfortable approaching the cyber security team with anything they were unsure of which brought about many insightful conversations but crucially, built trust. By cultivating a culture of education, Staff felt comfortable admitting mistakes made like clicking on links or engaging with phishing emails, which allows us to investigate rather than be painfully unaware.
Growth and development
Cyber security should be an enabling function for departments across an organisation but over time I have found that many project leads/managers perceive cyber security as “ red tape” that delays their plans, especially when taking on new technology. For this, I like to approach this with a people development focus aiming to build a security capability away from the main security team. How do you do this? Speak to people. Build relationships where you help people understand cyber security’s benefits and how critical it is. For example, if cyber security experts are not involved in the start of software design then the go live date could be delayed. Or from a legal standpoint if clients are told that their data is stored on premise and not in the cloud, deviation from this could have legal implications. Understand who could have a natural interest in cybersecurity, there’s usually at least one person who is itching to try something new and broaden their existing skill set. Before going out to market, understand who in the organisation may be interested in trying an entry level cyber security course. To generate interest, consider hosting internal events where you showcase the work of the security team, people from other business functions are always curious to learn about something new and it goes very far in building a rapport.
Hiring internally is almost ALWAYS a better idea as the employee understands the context far better than a new hire. This also has the unintended consequence of sometimes reigniting their passion for the organisation as things become new and varied again, making them less likely to look elsewhere for a new challenge.
Over the years, I’ve found that people have been the best when it comes to evangelising cyber security and as a cyber security consultant, I have found that when I’m able to connect with people I’ve been the most successful in executing my role. People make up the business, more times than not provide the best insights beyond any technical control has ever. Talk to your people, nurture your people, retain your people.
