How to Create Security Awareness at Your Company Set up a mock phishing email among your employees to see who takes the bait -- and who's the most gullible.
By Robert Siciliano •
Opinions expressed by Entrepreneur contributors are their own.
Imagine this fantasy: At your company, sensitive customer data is impenetrable. Hardware is secure. And every single IT specialist in your employ has the resources and funds to make all of this happen.
Related: Expert Advice: How to Up Your Cyber Security
But, no, it's time to pinch yourself and wake up. The reality is that no matter how secure the nonhuman end of things is, the mere existence of people using a system will always mean the potential for data breaches.
Should we throw in the towel? Of course not. If we did, cyber criminals would practically rule the world.
Instead, we should focus on increasing security awareness in the workplace, from the ground up and from the top down: We should teach workers how to handle data to minimize the potential of its falling into the wrong hands. A couple of strategies:
- Tell employees that a data breach could mean the loss of their job. This will give them incentive to become more security aware.
- Impress on employees the warning signs of a cyber attack so that they can more easily spot suspicious activities.
- Every employee, old and new, should be thoroughly instructed on security at the level of the individual computer. And new employees, before they officially begin work, should complete this training before accessing the company's network.
- Install technology that will detect when employees are doing something they shouldn't. The software will alert them in time to take corrective action as well as enhance their learning experience.
- Set up mock "phishing" emails to see who takes the bait. "Internal phishing" will teach employees how to be smarter and less gullible.
So, what are some ways to maximize security awareness? Here are eight.
1. Establish a baseline.
Before you can get awareness efforts going, you must first collect all the metrics to establish a solid reference point. An example might be the results of the staged phishing. Metrics are important, as they will enable you to gauge the success of effort.
2. Be realistic.
Don't think in terms of banning a certain activity, like involvement with social media, but rather of teaching employees to be judicious about it.
3. Use lots of tools.
A program for security awareness should involve multiple venues such as video games, newsletters, mock phishing and whatever else comes to mind.
Related: What Startups Need to Do to Be Cyber Secure in 2015
4. Be creative.
Even if funds are scarce, you can still make the learning process more fun than drudgery. For example, give boxes of candy canes out for the holidays, but tucked inside each box enclose the company's security policy. Employees will more likely read the policy if it comes with candy canes than if it's simply mailed, or handed to them in the office by the boss.
5. Seek high-ranking executive support.
Once the "bigwigs" get involved, employees lower on the chain will more likely follow suit. How can we get "C-level" decision makers on board in the first place? Tell them that return on investment is contingent upon security. That will get them hopping. Another way to grab their attention is to send out newsletters specifically for them, which will add to their feeling privileged. In the newsletters, include information on security awareness.
6. Recruit other departments.
No department is too unimportant to be involved in security awareness. Get every department involved, even your housekeeping and cafeteria staffs. But especially go after your marketing, legal and human resources departments, because they're in a position to make security awareness a requirement.
7. Re-evaluate.
Re-evaluate your new program every 90 days, without fail. This approach has been shown to be quite effective. To avoid information overload, emphasize maybe three topics at a time over the three-month period. Then, 90 days later, see what needs to be revised, based on those three topics.
8. Hit close to home.
Get employees to focus on themselves; don't harp just on security awareness that affects the company. Make workers understand that security is about them, too, not only the elusive bigwigs. Talk to them about the most common scams and tricks cyber criminals use, and how to protect themselves at home, with tools such as firewalls and wireless VPNs.
