Juan Manuel Harán, Security Editor at ESET discusses how can organizations foster a workplace environment that enables employees to acquire the skills needed to keep cyber-threats at bay?
Since human error has a well-documented history of causing many breaches, no organization can afford to overlook the importance of ensuring that its employees are aware of online dangers. This is mainly why the first installment in our series of articles to mark this year’s Antimalware Day will outline five ideas for creating a culture that inspires staff to stay on their toes and with cybersecurity top of mind.
Establish an email address for queries
Creating an email account where employees can send their questions on any and all things cybersecurity provides for a good start and has multiple benefits. For one thing, the designated email account can encourage employees to come forward and ask questions that they might not otherwise ask. Employers can also ask their staff to forward suspicious-looking emails to the address for review, which can help the employees become more astute at recognizing fraudulent email messages. The messages can also be used for organizing training sessions that will benefit the other employees and the company as a whole.
Set up an early warning system
To counter malicious spam campaigns, it’s worth considering establishing a dynamic and proactive early warning procedure that allows for alerting the entire company and keeping all employees informed that a malicious campaign is circulating. This can cut the risk that an unsuspecting employee will fall for the trap, putting organizational, employee and customer data in danger. Additionally, the system serves to reinforce awareness of some of the main cybersecurity threats and common techniques used by cybercriminals, even where they leveraged some tried-and-tested methods. Lastly, the procedure may enable security staff to analyze the campaign’s features.
Organize talks and trainings
Talks with experts, be they employees of the same organizations or guest speakers, can also go a long way towards educating staff on various aspects of information security. Since organizations typically employ professionals from various fields, it may be advisable to set up separate talks that target the abilities, interests and experience of various groups of people. A picture is worth a thousand words, so you can’t go wrong with using any kind of visual material that makes the session more engaging.
Run contests
Everybody loves to compete – and win, right? Employee contests are a fun way to help instill robust cybersecurity habits. For instance, materials from trainings or talks can be leveraged for quizzes that will not only reward the winners, but will also provide your organization with better insight into just how cyber-aware the employees are. You can also organize a bespoke social engineering simulation to find out how easy it would be for threat actors to penetrate your company’s defenses by targeting the human factor. The results can also be used to determine which aspects of cybersecurity should receive more attention in future training sessions.
Draft a good practice guide
Draft a document that details the most efficient ways to help the company and its employees ward off cyberattacks. Such guidelines may include, for example, information about how to configure devices securely, how to encrypt information, how to set up two-factor authentication factor on various services. It’s also important to make sure that the guides are easy to read, contain only the necessary information, and are easily accessible for any employee.
Bonus idea
Lastly, here’s a suggestion to help retain all that information. Leave quick messages or notes that are intended to teach employees about good cyber-hygiene in places where they would never expect to find them – office restrooms, kitchens, and elevators. Finding such a message in an unusual place can actually boost learning and enable the employees to recall the lessons learned when it matters the most, such as when they’re targeted by phishing attacks.