How to enlist employees to fight cyber threats
Cybersecurity is often looked at through the lens of IT experts, and what they can do to protect against external threats. The IT department or external IT services provider is seen as responsible for IT security, solving the problem without other employees having to think about it.
In reality, cybersecurity is a collective effort that requires everyone in the business to pitch in. Without securing the buy-in of every employee – and enlisting them to fight cybercrime – there will always be holes in your security strategy that cybercriminals can easily exploit.
Why employees need to engage in cybersecurity
Much like any other kind of security, cybersecurity is often perceived as a service undertaken by experts to keep you safe. IT personnel are the bouncers for your IT systems – preventing the wrong people from getting in, and taking action in case they do. But while this isn’t wholly inaccurate, it is a major oversimplification of exactly what cybersecurity is, and what effective cybersecurity demands.
In reality, cybersecurity is more like the police force. It’s there to keep you safe, and deter people from attacking your systems. But to work effectively, it also had to be supported by the general public (in this instance, your employees). Each person has to take some action and responsibility for their own security, and report problems that allow those responsible for cybersecurity provisions to do their jobs.
What this means is that individuals within the business have to work as part of a holistic cybersecurity strategy. If employees aren’t involved in cybersecurity, they will inevitably end up working against the provisions of the IT team or service provider, creating holes in the strategy that could render it moot. So what’s the best way to involve employees in cybersecurity – and how much can you realistically teach people about this complex subject?
Cybersecurity in the workplace
Not everyone is particularly comfortable with or interested in the workings of digital devices. Interestingly, this skill gap exists at both ends of the spectrum, with Gen Z workers often having grown up using phones, and having minimal experience with computers. As a result, the hardest obstacle is often getting buy-in from your employees, and making them comfortable with the fundamentals of cybersecurity.
For the most part, this consists of changing behaviours, rather than engaging with its more technical aspects. While things like updates, firewalls, and malware protection can be overseen and managed by IT professionals, it’s mistakes and misunderstandings by users that can form holes in these barriers. Knowing this – and knowing what not to do – can help ensure that employees don’t undermine the good work of your IT department or service provider.
What employees fundamentally have to learn is that what they do online and on work devices can severely impact the business. This shouldn’t be intimidating, however, as simple corrective actions can prevent any damage before it occurs. These behavioural changes will also have benefits for employees’ personal lives, teaching them principles which will keep their own private data and information safe on home computers, phones and tablets.
How to involve employees in cybersecurity
The first step in involving employees in cybersecurity is to demystify it. The immediate thought about doing anything IT related is that it will be too difficult or cumbersome, and this can prevent people from engaging with it. Instead, it should be emphasised that good cybersecurity is just about doing the same things you are now, but smarter. It means using browsers, email clients, apps and other aspects of technology in a way that keeps your data safe.
The general importance of cybersecurity should also be reiterated. Data theft and ransomware aren’t just threats to businesses, but also to individuals. Applying the same cybersecurity principles at home will protect employees’ personal data and devices, preventing issues such as identity theft, compromised bank accounts, loss of data or devices to ransomware, or the theft and leaking of sensitive files or information.
Here are some easy ways employees can contribute to better cybersecurity:
- Password managers. Many people use the same, simple password for different accounts because they struggle to remember multiple complex ones. A password manager is an easy way to avoid this issue, with enterprise offerings that cater to all employees and devices.
- Email security. Emails are a common vector for malware and phishing attempts. Employees should be trained to spot phishing emails and to avoid downloading files from untrusted sources. Ideally, file sharing should instead be done via more secure channels, such as enterprise apps like Drive, Teams or Slack.
- Device security. Physical access to computers and phones can compromise security as much as online access. Devices should be locked with a secure password or PIN whenever not in use, and portable storage such as USB sticks should ideally be banned in favour of cloud storage solutions like Drive or OneDrive.
- Clear Desk Policy. While it may not be appropriate or viable for every business, a Clear Desk Policy can help to improve security in busy workplaces, or those where hotdesking is used. This encourages employees to lock up sensitive documents and devices when they are away from a desk, and tidy away anything that could be used to compromise systems.
Like any IT related jargon, cybersecurity can seem like an intimidating prospect when first raised with employees. It falls on businesses, their IT departments and IT service providers to educate employees on the value of cybersecurity in both a business and personal context – and to explain how even simple changes in behaviour can prove to be powerful safeguards. To learn more about improving your organisation’s cybersecurity, get in touch with us today.