How do you get staff on board with security? By making it personal, says Kevin Halkerd, Senior Risk & Security Analyst at e4.
Most successful cyber breaches have one thing in common: People. Your company can be protected from every tech angle, with the latest security updates and most advanced threat detection, but it takes just one employee accidentally sharing their password for a major breach to occur.
Human-targeted attacks will remain the number one threat to cyber security and will only keep increasing in volume and complexity this year. As even casual observers have become more adept at spotting emails that don’t look quite right, criminals constantly work at creating more sophisticated traps. This year, we’ll likely see more complex attacks as well as automation and the monetisation thereof, as bad actors leverage and repurpose the likes of ChatGPT and other AI chat tools.
Human error is not only the biggest security blind spot, but also requires more effort to remediate. It necessitates training and buy-in, as opposed to a security threat you might patch or reconfigure to a more secure mode. And after all that, your security still depends on the will of those humans to engage with the training and execute the learnings. There are no quick solutions, and any solution in place requires constant reviewing, reengagement, and reporting.
So how do you get staff members to engage in security messaging and implement these instructions correctly? By making it personal for and applicable to them.
South Africa already has a security-first culture due to our sensitivity to crime in general. Your toughest challenge is then to broaden the scope of staff members’ security mindset.
Do this by always providing consistent, friendly, and supportive engagement on security topics. If your security team can add value to other staff members’ lives, whether through support, personal advice, or leading by example, these quality exchanges will become a foundation for further interaction. If staff members perceive that they, too, get value out of engaging with security teams and materials, they’ll be more inclined to adopt your overall organisational strategy and awareness mission.
You could tailor such initiatives by:
- Using strong awareness content about the threats most prevalent in your business to regularly keep security in focus.
- Adding additional customised content to such materials to dig deeper and create interest in current trends.
- Sharing ‘inside info’ such as vulnerability notices and remediation steps for consumer phones, tablets, and wireless routers that staff members may use in their personal lives.
- Running routine unannounced simulations and sharing the results with the group.
- Incentivising participation by rewarding star performers – but still supporting stragglers.