It’s commonly agreed that what makes an organization stand out most are its people. Most business leaders will highlight their team members’ contributions before anything else – after all, it’s not a building or a service or a product that makes an organization. It’s the people.
However, when it comes to security, legacy would dictate that the opposite appears to be true. People are often referred to as the “weakest link” in security.
But is this true? We really don’t think so.
When you involve your employees and enable them to be part of a conscious, secure culture, they can help boost all levels of your security. As discussed by our Head of Advisory CISOs for Cisco Duo, Wendy Nather, “democratizing security” is essential to keep your organization safe.
In a recent Cisco Chat Live streamcast, Cisco Product Marketing Manager Hazel Burton sits down with Cisco Advisory CISO Wolf Goerlich and Elevate Security co-founder Masha Sedova to offer small and medium sized businesses tips on how to establish lasting security awareness.
Security awareness training programs – how to keep your organization engaged
Security awareness training programs are a source of untapped potential. They could be the first step in creating a culture of security, but too often they are unengaging and overly impersonal. These ineffective, one-size-fits-all programs can negatively impact your organization by making cybersecurity a chore.
To make security people-powered, Masha suggests a more gamified experience. One tactic that she has found successful involves turning the tables and asking employees to put themselves in a “hacker mindset.” After introducing the basics of what information an attacker might want, employees are prompted to reflect on what attacks they would potentially fall for. For example, a fake charity or a sports membership organization asking for money. This allows them to understand where they might be vulnerable while providing for more engaging instruction.
It’s also important to tie security training to what already keeps your teams motivated. Having a good understanding of your people will help you communicate the importance of security in a personalized way. Sales teams, for example, may respond well to competition-based training. This could include having a leaderboard that tracks the number of days phishing attacks have been successfully avoided or reported.
These techniques will also help create a culture of reporting in your organization, which goes a long way in combating phishing attacks.
When it comes to phishing, organizations should use more gaming and less shaming
To reinforce this reporting culture, Wolf Goerlich recommends measuring the success of phishing training by how long it takes employees to report phishing attacks. The traditional method is to report on the number of employees that open malicious links and attachments.
Focusing on employees that mistakenly compromise themselves creates a culture of shame around reporting and may discourage people from coming forward. Instead, celebrating phishing reports as part of a successful security program will give your employees more incentive to notify security teams.
Making your people the strongest link
Ultimately, employees’ level of security awareness is based on the success of awareness training programs – or the lack thereof. Programs that are both gamified and personal ensure that your employees remain motivated when it comes to keeping your organization secure.
By building a culture of awareness and reporting, businesses can make their people the strongest link when it comes to security. For more details on how to get the best out of your employees and security teams, check out the clip above.
Note: this blog is part four in a five-part series.
You can read the previous blogs in our SMB Cybersecurity series here.
To watch the full Cisco Chat Live discussion, please visit Cisco Chat Live SMB Myth Busting.
If you are interested in unpacking more myths surrounding SMB security, consider reading “Big Security in a Small Business World.”
I think that there’s a bit of a culture of ignoring phishing amongst more technically “sophisticated” people in organisations. That filters through to those who might be more susceptible to the attacks, so this is a great article.