They don’t work because the actions in question are mundane and lack conscious decision-making. For instance, when registering for a new service people use the same and too simple password as before because that is what they have done before as well.
Instead of bans you should train your staff and reinforce the good practices. As we are entering the less-pressing summertime, what would be a better time than now to try out new positive security practices.
Here are five suggestions for you to consider.
1. Carrot instead of stick - reward safe behaviour
In large enterprises it is common that responsibility for security is split and divided. While there are organizational reasons for this, we know from social psychology that when there is a large number of people involved they slip from responsibility and think that somebody else should take action. We also know from experience that this applies to company cultures.
According to 2017 Cost of Data Breach Study, the average cost of a security breach is 3.6 million dollars. And as we know, simple tricks like email phishing still work. How can we encourage our staff to take it seriously?
One simple way is to reward your employees from keeping the organisation safe. For example, you could allocate say a five to six figure sum to the staff’s recreational fund or give an extra Christmas bonus if no staff-related breaches happen.
2. Leverage the positive competitive spirit
You can also take the former one step further by creating a positive competition. It works well when the objective is good and benefits everyone.
You could launch a competition where internal teams compete against each other. The winner is the one that demonstrates the most secure behaviour across the field: when working remotely VPN or other secure connectivity methods are used, the team uses strong passwords for each application, it updates all software accordingly etc. Since security is part of so many processes, you could also ask the teams to be proactive and encourage actions that were not predefined.
Keep the reporting as effortless as possible. A simple way to report could be sending screenshots to internal communications app to track the efforts of each participating team. The reward could be something fun and supportive like a half workday trip to some nice location.
3. Try gamification
Why not add a layer of adventure to security?
You could set up an internal audit round where every employee is asked to find as many phishing emails, messages with malicious links or other loopholes as possible. If you have a capable IT department, they could set it up and create the pseudo-attacks on different corporate channels and platforms.
4. Dedicate time for cybersecurity
Personal security checks should be done ad hoc and everyday by everyone. But let’s face it: this just doesn’t happen. Security is truly as strong as the weakest link.
The best way to improve your organisation’s security level is to dedicate a moment for it for every employee. For example, by allocating an hour for cybersecurity every quarter for the whole staff, all at once or team by team.
It could include a session where new updates or information are shared. But the most important thing is that each employee gets 15-30 minutes to talk to your security experts and colleagues about new breach manifestations etc.
5. Listen to your staff
Keep your applications, software and processes as easy-to-use as possible. If common tools and information are too difficult or complicated to access, your staff will opt to less secure work-arounds like using personal email or USB sticks.
So listen to your employees and find out how you could make their daily life easier. It’s worth it: you will benefit from better security status and increased overall efficiency and your staff has one less reason to build the famous Shadow IT.
These are just a few examples that you could use. The basic idea is to turn the security culture into a positive realm. Create an open environment where good cybersecurity practises are discussed and executed by each and everyone on a regular basis.
To know how Tieto Security Services can help you manage your online security, please read more.