Building a cyber-aware culture should be a part of a long-term IT security strategy – in any company. In reality, however, companies often do not go beyond some form of basic cybersecurity training for employees. Of course, it's not possible to build such a culture in a day. But where should you start?
The success of cybersecurity measures in a company depends not only on IT security experts or IT admins, but also on each individual who has access to company IT systems – from the CEO to employees, interns and external collaborators. Put briefly, each one of us is responsible for the company’s data protection to some extent.
Try to think of a cyber-aware culture as a thing that arises from the cooperation of all the people in the organization. Everyone can do something to make it better.
If you are responsible for IT security in your organization, this is a way to ensure that people across the company understand the importance of safe online behavior and proper handling of corporate devices.
1) Make sure everyone knows the do's and don’ts
This is not as simple as it sounds. In every company, you will find employees who ignore the computer software´s prompts to update, or those who don't consider what applications they download to their company devices. They might do so because they don’t know specific apps can cause harm, or simply because they are too busy to give it a thought, and they rely on the IT department to handle all these issues and risks.
Companies vary in their policies in terms of how many restrictions or freedoms each employee has when handling their electronic devices. Nevertheless, the best way to prevent incidents is to explain the risks and how to avoid them to all employees at the outset. On the other hand, make sure you have provided clear guidance on how to act in case something does happen. Make sure employees know what to do and who to notify.
2) Invest time in quality training, in cooperation with experts from other fields
If you're an IT expert, you understand the technical nature of cyberattacks, as well as the situations in which such incidents occur. But that is not enough for really good training. “The key is to find someone who can deliver information to employees in a clear and interesting way,” said Daniel Chromek, ESET chief information security officer, in an interview on building a cyber-aware culture.
Setting up a formal cybersecurity training program in your company is definitely a good start. If you want to be sure your audience will listen to you, you need to take a few more steps. Ideally, you'll involve experts in teaching, psychology and graphics in the training, who will help you pass on key information in both impressive and fun ways.
Psychologists or experienced coaches can add interesting elements to the training – for example, their knowledge of the work of social psychologists can help them understand the ways that technology affects social interaction, attitudes and behavior. Social engineering works with fear, time pressure and blackmail; therefore, it is good to understand these contexts as well.
3) Use incidents as examples to illustrate the damage a cyberattack can cause
If a cybersecurity incident occurs at your place of employment, use it as a tool to further educate both employees and managers. By bringing these events up, you can significantly improve cybersecurity awareness throughout an organization. It allows you to illustrate how a cyberattack may look today, why it is so effective and what the possible consequences are.
One way to communicate this could be via a corporate newsletter. But if your colleagues are used to communicating through another channel like MS Teams or Slack, take advantage of that.
4) Monitor cybercrime trends
One of the roles of IT managers is to keep up with cybersecurity events. Because cyberattacks are constantly evolving, you should follow the latest news and trends.
The easiest way to do that is by building a habit of regularly checking a respectable professional platform, such as ESET´s blog WeLiveSecurity, that warns against new types of cyberattacks and provides tips on protection.
If something really significant is on the news, let all the employees know about it, too. For example, the recent headlines about high-profile ransomware attacks are certainly worth discussing. Just be reasonable with the frequency and importance of these alerts – otherwise, your colleagues will quickly stop paying attention to them.
5) Test everyone’s cybersecurity awareness
There are many ways to do this, but they should be based on the concept of long-term training, which reflects current cybersecurity issues. Here's a sample set of questions you could adapt for your own organization:
Developing your own quiz can help you highlight gaps in security awareness in your company and evaluate what needs to be addressed in your next steps.