Skip to main content

Create your internal cybersecurity advocates

security
(Image credit: Image Credit: Wright Studio / Shutterstock)

The month of October marks Cybersecurity Awareness Month, an important initiative now in its 18th year, organized by the Cybersecurity & Infrastructure Security Agency.  The goal of the campaign is to ensure that all Americans have the resources they need to be safer and more secure online. 

While it is an excellent way to bring attention to the critically important topic of security, of course, security isn’t something that any company can only think about once a year. Data breaches can happen to anyone, at any time. It’s in every organization’s best interest to maintain a steadfast approach to maintaining, and enhancing, security protocols. 

With the Covid-19 pandemic came a dramatic shift to remote and hybrid work, forcing organizations to pivot the way they operate, seemingly overnight. Unfortunately, this led to a significant increase in cybercriminal activity. 

There are many ways to address cybersecurity threats, but the one we will focus on in this article is around bringing awareness and training to colleagues throughout your organization. Arming your staff, across departments and functions, with the tools they need to understand and identify threats and how to report suspicious activity can play an integral role in the success of your security efforts.

Awareness and education

Cybersecurity is not something that is taken care of by the IT team alone. Delivering a secure environment for employees and your customers can only be done when all colleagues and departments are working together to understand what security means. 

You may consider starting a security council that can bring together security-focused colleagues, in addition to colleagues from different departments, or locations. Together, this group has the expertise and varying perspectives to understand what the company needs to do to ensure the security of business data, and that of your customers. 

An important goal of your security council should be to create awareness around security protocols in the business. All colleagues need to understand the risks and why you need to continuously improve data protection. 

It is the job of the members of the council to instruct their individual teams on the importance, risks, and measures in place to solve for data security. Everyone in the company should understand, through formal or informal training, how to recognize and prevent data breaches. If they spot something suspicious, they should know how to report the situation directly to the security council so appropriate actions can be taken. 

Different ways to reach colleagues

Many companies offer annual, mandatory security training, which can sometimes fall flat. Colleagues may not fully understand their role in security and go through the motions so they can cross ‘security training’ off the to-do list. 

Because people have different ways of learning, the best approach to reach all colleagues is to produce security information across communications channels. It is also a good idea to try and inspire colleagues while educating them on security, for better engagement and results. 

For some it works best if you write in-depth blog posts on your company blog. For others, shorter, easier to grasp posts on your intranet may be helpful, or event low-budget video content that gives security some personality. Security can be an agenda item at company-wide townhalls, or department level all-hands meetings to reinforce the messages. 

You can also create small incentives for people to engage with security-related content. Create quizzes to check knowledge retention, and based on the user’s score, they can be awarded a gift card or some other incentive. 

For a visual approach, create posters to be hung on the walls in the office, or computer desktop backgrounds. A constant reminder can help further engrain the importance of security. 

Fun

A vital part of your approach should be that security is fun. It’s not scary or boring or whatever else people may think of it. Work with the security council to make it fun to learn, so more colleagues will want to be part of the initiative. 

Visibility

With all these awareness campaigns, members of the security council become more visible, which is an anticipated and very useful side effect. One way to gauge the success of your efforts can be by the number of questions you receive from others about security. 

Training

Awareness is important, but if few people know how to fix or prevent vulnerabilities, it’s really a time-wasted effort. Be clear in your security communications on what to look for and how to address the issue. This, for most colleagues, would be to report the suspicious activity or threat to the security council. Set up a method for capturing those inquiries, which could be as simple as setting up a dedicated email inbox. 

More in-depth training for anyone involved in the security of your company should be offered to not only provide education on how to prevent and fix vulnerabilities, but also a better understanding of the whole problem so that they can independently verify whether an issue is resolved or not. As we all know, technology changes fast, so guidelines may get outdated quickly.

Setting up ample awareness and training opportunities helps those who need knowledge (that’s everyone) on security, to support the company’s strategy and do their part to decrease security threats. It also helps with getting more people interested in security, which could result in more members for the security council, which in turn increases the capacity to help colleagues create more secure data for your company and customers.

Ruben Franzen, President, TOPdesk US