Creating a Cybersecurity Culture In Your Nashville Business
Statistics point to human error as the number one cause of security failures. Weak passwords, shared credentials, and inadvertent clicks are the primary vulnerabilities that humans pose. Although employees appear to be the weakest link in a company’s security posture, they can be the strongest defense against attack. It depends on the culture that surrounds them. Is your culture blaming employees or enabling them to be better defenders of your company’s digital assets?
When companies see people as the problem, they tend to use fear as a motivator. However, fear is a short-term fix to an ongoing problem. Viewing people as part of the solution helps organizations approach cybersecurity as a problem to be solved together. Collaborative problem-solving makes for a stronger and longer-lasting approach to building better defenses.
People Are Not the Problem
Scaring people with cybersecurity statistics may work for the short term, but it often results in long-term failures. For example, security awareness training warns employees about phishing emails. The presentation explains how 90% of all breaches are the result of employee errors. It gives examples of how people clicked on embedded links that caused their employers to lose millions, even resulting in some firms going out of business. The training stresses how important it is for users to pay attention to every email to stop an attack on their company.
A few weeks after the awareness training, it doesn’t appear that anything has changed. In fact, productivity has declined, and morale seems to have plummeted. Employers wonder why employees do not seem to care, which may lead to even harsher actions that result in a negative corporate culture. So what went wrong?
Fear is Paralyzing
Employees may be more vigilant immediately following training. This vigilance often lowers productivity because employees are carefully checking every email for possible phishing attacks. If they find something that looks suspicious, they can’t decide if they should ignore it or report it. They become paralyzed with indecision. This is especially true in environments where mistakes often mean punishments.
Fear Implies Punishment
Fear tactics often come with punishments. Organizations impose consequences because they think employees will follow the rules if they have a tangible stake in the outcome. This approach often results in disengaged personnel. When employees disengage, they become apathetic. That creates environments where employees are not as diligent and do not report suspicious behavior. Part of a strong cybersecurity posture is being forewarned of potential attacks from employees. If they fear punishment, people are less likely to report unusual behavior.
Fear is Conflicting
Passwords, as an example, often present difficult choices for employees. They understand the need for strong passwords, but they also question if the risks are really that significant. Add to the skepticism a fear mentality, and people can become conflicted. Do they really need different passwords for everything?
Without a tool to help manage passwords, employees are faced with unreasonable demands for tracking passwords. They try to follow the rules until they can’t. So, they write them down, even when they know they shouldn’t, or they use weak passwords that can be remembered. Employees know the risks, but they don’t see a way to follow the rules and be productive.
Using Scare Tactics
Fear-based tactics start from the assumption that people are the problem. It assumes people know how to implement good cybersecurity hygiene and are consciously deciding not to follow the rules. What would a cybersecurity culture look like that was based on the assumption that people were the answer?
People Can Be the Solution
Employees are a company’s last line of defense. When phishing emails land on employees’ desks, they have already made it past all of a business’s defenses. The emails have made it through the spam checkers, virus scans, and filters. Whether an organization becomes the next victim depends on what the employees do. Creating a positive cybersecurity culture requires more than a few training courses. It requires an environment where employee efforts are enabled.
Create Security Groups
Instead of training everyone to the same level of cyber awareness, companies should train select individuals who can function as “experts” for a group. The group can be individuals who work in the same physical location or team members of a project working remotely.
Assign one of the citizen experts to each group. When someone wonders if an email is suspect, they can ask the expert assigned to their group. It seems less intimidating when employees ask for help from people they work with. These experts can also serve as part of a communication chain that can alert staff to possible scams or phishing emails.
Since credentials, especially passwords, are a point of contention in most companies, consider a password manager. Be sure to select one that is easy for non-technical employees to use and train them on how to use it. Once people see how password managers can save them time and ensure strong passwords, they are more likely to use the tool.
Having documented procedures for responding to cyber incidents is critical to effective cyber defenses; however, many organizations have them buried in IT, where few people even know they exist. Instead, put the information on the intranet or in a knowledge base so anyone can access it if they have questions.
Providing resources that enable employees to execute the security rules easily and effectively means a greater chance that they will be followed.
If organizations want remote workers to use VPNs, they need to install and configure the solutions for them. Asking people to go to this site, download the software, and configure it presents a huge obstacle for many employees. Instead, have the IT department install and configure the software, so all employees need to do is launch the program.
Companies may have strict rules about how files can be sent to other employees or clients. If external storage devices are banned, provide alternatives for employees. For example, memory sticks may be used to transfer data, but they also represent a potential access point for a virus. Banning their use is one approach; however, an alternative may be to provide employees with encrypted flash drives or make it easy to transfer encrypted files over the company’s network or the internet.
Creating a Cybersecurity Culture
Building a strong cybersecurity culture takes cooperation and collaboration. It means listening to what employees need to make sure the rules are followed. It requires balancing security protocols with user-friendly tools. Finding a knowledgeable partner who can help navigate the world of cybersecurity can also help create a cybersecurity culture. Contact us for help making your work environment secure.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.