How do you raise awareness about cybersecurity among the workforce?
Experts discussing cybersecurity in any forum say that the weakest link in any organization’s defense is its staff.
While that’s absolutely true, there’s unfortunately no guidance on what business leaders can do to raise awareness about cybersecurity in the workplace.
YOU MIGHT LIKE
Just Eat CISO: How to earn respect in cybersecurity
And, in the midst of a pandemic, with remote working employees now scattered, ensuring any message hits home has become that much harder, and that much more important.
Of course, there are training programs being offered by vendors and there are learning and development teams tasked with creating campaigns and programs for this purpose, but creating something tangible is hard.
Raising cybersecurity awareness is different from most other training provided in a workplace because they’re neither prescribed by regulations nor standardized in any way. There’s no user manual.
To make things more complex, the nature of the organization’s business, its industry and geographic location, and its particular cybersecurity strategy must be factored in when raising awareness within the business.
However, none of these details are clear to those planning activities and training programs related to cybersecurity awareness. As a result, staff are unable to get the most out of these programs despite their best efforts — and that needs to change.
Here are the three things that organizations keen on raising cyber awareness in their workplace must do in order to make an impact and see tangible results:
# 1 | Pair learning & development professionals with IT professionals
The first step to creating an effective cybersecurity program is to pair IT professionals with professionals in the learning and development team.
Doing so will ensure that the two are able to collaborate and develop something that is not only comprehensive but also easy to understand and recollect when it really matters.
“By working to the context of the company, people understand that you’re not an old-fashioned security function that wants to say ‘no’, you’re one that wants to enable,” Fielder explained,” Kevin Fielder, CISO of Just Eat told TechHQ.
“The more joined up you can become with the organization, the more you become a part of the fabric, so you’re not just the security team, you’re a helpful team that does security.”
# 2 | Create a consistent message that can be shared often in various formats
One of the biggest obstacles to raising cybersecurity awareness is the fact that it is treated as a learning module rather than a part of the organization’s culture.
When treated like the latter, the organization can repurpose the awareness program to reinforce key messages.
Those messages need to be visible, and for a remote workforce that means getting creative. While a long email from CTO might get lost, key messages could pinned on the company-wide Slack channel, for example, or time could be allotted for a team cybersecurity webinar on a Friday afternoon, where screens can be shared and all staff have the chance to ask questions, or interact with polls.
# 3 | Update the cybersecurity awareness kit as and when the landscape changes
Most organizations that have a cybersecurity awareness issue have a kit, irrespective of what it is called internally. That kit needs to be updated frequently, as and when the landscape changes.
Take malware, for instance, if it’s mode of delivery changes, organizations must quickly communicate how things have changed, its impact on staff, and what constitutes responsible behavior — through training as well as cultural messaging channels.
While the suggestions are fairly simple, they require management support to be implemented because cross-functional teams aren’t easy to build.
Of course, raising cyber awareness is just one part of the puzzle, and investments in the right tools is still going to be key to putting up a strong defense against cybercriminals.
Once done, however, success is almost guaranteed, and the organization is more likely to keep its data and networks protected from cyberattacks.
30 November 2023