Raising awareness and training employees on cybersecurity is hard. It’s draining. It’s thankless. And all too often, it’s ineffective. A big part of the problem is that IT approaches it with unrealistic expectations, and with tactics and messaging that may resonate with them, but not their audience. As a result, there’s often a disconnect between the security team’s motivations and priorities and those of the rest of the company.
In an ideal world, IT would be recognized by management and co-workers as the esteemed guardians of the system and sage-like purveyors of critical knowledge they clearly are. The reality is a little bit different. However, security experts can take steps to bridge the gap and help to reinforce best practices among their colleagues. In this slideshow, Jack Danahy, co-founder and CTO of Barkly and 25-year veteran of the security industry, has identified steps you can take to improve cybersecurity in your organization.
Click through for five steps you can take to improve cybersecurity in your organization, as identified by Jack Danahy, co-founder and CTO of Barkly.
Expectation: Everybody will do what’s right: our people, and the people and organizations we partner with too.
Reality: “Right” doesn’t always mean safer. It’s often about being cheaper, easier or faster.
Try this: When security teams make better security available, there is a misconception that the rest of the company will quickly and willingly adopt it. Because this is a new domain for many employees, don’t judge those who don’t understand it. Instead, expose and explain – in layman’s terms – security choices, and create avenues to reinforce these values.
Expectation: We can knock out security training in a one-and-done computer-based training (CBT).
Reality: Effective training requires consistent reinforcement and exposure to real-world scenarios.
Try this: Think of CBT as one of many tools in your tool box. Realistic phishing tests that show what it is like to get phished and how to report it will help employees better understand security processes and emphasize positive security practices.
Make It Personal
Expectation: Name-dropping big, scary breaches in the headlines will hit home.
Reality: No one cares because it happened to someone else.
Try this: Make training and security education personal. Give examples of breaches that have occurred, how they could have been prevented and what the damaging effects were.
Expectation: Security is one of every employee’s top priorities.
Reality: They have jobs to do.
Try this: Continually drive home the message that data equals cash. Lax security that results in a loss of data equates to poor business performance. This affects raises, promotions and job security.
Expectation: We speak the same language.
Reality: We might as well be speaking Blorg.
Try this: Educating your colleagues doesn’t mean that they will become security experts. Avoid acronyms and jargon-heavy emails. Be clear and concise when explaining security warnings employees should watch for, and provide simple instructions for how they should handle them.