EXECUTIVE SUMMARY:
Around the globe, cyber risks are intensifying. Responding to these growing challenges requires developing new partnerships, encouraging inter-departmental collaboration, pursuing innovative cyber security solutions, and promoting employee security awareness and engagement, among other things.
In honing in on employee engagement, new survey findings suggest that there is a significant disconnect between CISO expectations of employees and employee attitudes. Specifically, the survey found that within public sector groups, 34% of employees do not believe that their actions impact an organization’s overall security. Worse yet, over 20% of those surveyed indicated that they did not care about whether or not their organization experienced a hack.
Unpacking the disconnect
A recent Forrester report shows that many security leaders lack skills when it comes to influencing employee behavior and building a strong culture of awareness. Security leaders are, well, security leaders, not PR professionals. In many instances, security leaders are unaccustomed to being the public ‘face’ of cyber security, don’t know what to say to employees, and unsure of what educational tools employees would find most engaging.
Only 28% of U.S. and U.K.-based employees feel that their security awareness trainings are engaging. Because training is often such a snooze, only 36% of U.S. and U.K.-based employees say that they pay full attention to awareness trainings.
Let’s change this! Only 36% of U.S. and U.K. employees say that they pay full attention to cyber security awareness trainings. #AwarenessTraining #EmployeeEngagement #CyberTalk #Cybersecurity Share on XDriving cultural change
In general, employees tend to focus on the responsibilities that have been delegated to them. Cyber security leaders may do well to find a means of having security awareness and engagement incorporated into written job responsibilities. Otherwise, leaders may see a continuation of the “it’s not my job” attitude.
Cyber security training
More than 60 percent of government organizations do not provide mandatory cyber security training for employees. Those that do provide training sometimes offer it as a single-day event, which is known as an ineffective training modality. Instead, for greater long-term impact, organizations should implement several cyber security awareness programs throughout a given year.
Reaching the seemingly unreachable
A) Non-technical employees might not have a sense of just how vulnerable organizations really are and might not truly grasp that something as small and seemingly innocuous as a phishing email could have large-scale consequences for an organization.
In addition to providing adequate training, leaders need to do so in a way that ‘speaks the employee’s language,’ framing threats in terms of concepts and objectives that non-technical employees inherently care about.
To drive points home, leaders may wish describe threats in terms of financial impact on the company. When employees can visualize how threats could affect their areas of work, they are more likely to adhere to security recommendations.
B) To reach employees that simply don’t seem to care about the organization’s security at all, emphasize the personal dimension of cyber risk. A cyber security breach could lead to the dispersal of information about employees or their families.
A breach might mean that employees’ social security numbers, addresses, phone numbers and family members’ names fall into hackers’ hands. In turn, employees and/or their family members could experience identity theft, rendering it challenging to open new lines of credit or to enroll children in school, among other things.
Working with a vendor
Consider working with a cyber security vendor in order to tailor training materials to the specific needs of your organization. A vendor partnership can help you transfer information about the latest threats to your people in a clear, concise and optimally engaging way.
Cyber security vendors have worked with hundreds, thousands or hundreds of thousands of organizations in training and increasing engagement among employees, meaning that they keep a pulse on what works and what doesn’t. They might just be one of your best options when it comes to bolstering employee engagement.
What are you waiting for? To learn more about increasing cyber security awareness initiatives, please see CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.