Whether you realize or not, your employees are a critical part of your layered defense against phishing attacks, malware, ransomware, and more. So why aren’t they concerned?
In just about every news story you read today about another phishing attack, malware infection, ransomware attack, or data breach, there’s a part of the story that’s either covered or implied – a user was involved. The user – whether malicious, negligent, or unwitting – clicked on a link, opened an attachment, visited a webpage… something that allowed a cybercriminal access to execute their malicious actions.
And with attacks having devastating results, like the most recent ransomware attack on global shipper Cosco, that has brought operation to its knees, the question should be raised:
Why don’t employees care about CyberSecurity?
It all comes down to one reason: your company doesn’t have a security culture. In essence, they don’t care, because the organization hasn’t told them they need to care as part of their job. Hire someone to do accounts payable and what do they think their job is? To do accounts payable. That’s it, security is IT's job, not theirs. But hire someone into accounts payable in an org that has a security culture, and they now do account payable, but are also constantly watching for cyberattacks, phishing scams, and the like.
So, what does it take to create a security culture?
I’m going to abbreviate the 10 tips to make your employees care about cybersecurity found over at TechRepublic down to just 3 high-level steps:
- Make Employees Aware – The average employee doesn’t brush up on cyberattack methodologies on their own, you know. They need to be made aware that cyberthreats to the organization exist… and that they are the target.
- Communicate Expectations – Beginning with their first day of employment, employees need to understand that the organization requires a level of employee vigilance when it comes to cyberthreats. Help employees to better understand how they are at risk at home and work – and how their actions can make the difference in both locations.
- Train and Test Them – Using Security Awareness Training, employees need to regularly go through online training, with phishing testing used to identify where your organization’s weakest links are.
While there’s much more you can do to create a more formal security awareness program, the steps above provide the basics necessary to create a security culture.