We all know the answer to the question. There is no shortage of security advice, guidance, dos and don’ts and directives for any employee. But the language often continues to confuse, the advice is often not related to the daily priorities that we all face in our busy working lives and there is often no real clue why and how the impact of adopting different measures will positively impact you.
We need a different approach. It’s not that we need more or different advice, it’s the way we listen to and communicate with our employees that needs to change. Training employees effectively about keeping company or personal information safe and secure requires our training and communication to be:
- Timely: How can it have a positive impact on me doing my job, right now?
- Empathetic: Does it appreciate the pressures and needs that I have?
- Actionable: Is it doable?
- Relevant: Does it answer the question,” Why me?”
During the last 18 months, we have all needed to adapt like never before. We’ve had to get used to working from home much of the time and many of us have now adopted new hybrid methods of working that combine working from home and in the office. Cyber security has not been a priority for many of us or our employers at a time when managing both home and work pressures and enabling new digital operations and home working have been top of mind.
Yet the risk to us and the organisations we work for from cyber-attacks continues. I recently spoke with a small business owner who had been the victim of a phishing scam that played to her fears about cyber fraud as the basis of the scam. It’s cost her valuable time and money that will take time to retrieve. Recent research highlighted that the most common cyber incidents in 2021 so far have been ransomware attacks, stolen laptops, phishing attacks and CEO fraud – all human cyber risks. We have all been victims or know family and friends who’ve been victims of a cyber-attack. It’s part of our daily lives.
The implications are clear. The risk is real, securing your business is vital, technical solutions are often expensive but it’s you and your employee behaviours that are your greatest vulnerability to cyber criminals.
So, during the UK’s Cyber Security Awareness month in October, what can you do that can make a real difference?:
- Ask what day-to-day security fears or concerns your team has (at home, on the move or at work). Responding to these fears can go a long way to building a collaborative security culture. Securing your firm is a vital part of any culture and all your people have their role to play in helping you.
- Consider sharing and discussing a weekly cyber story. We have all have our own experiences or are aware of friends or family who’ve been attacked in some way. Let’s share and discuss these stories as a team. They’re a great way to share advice together and give people the confidence to talk about the tell-tale signs of a cyber-attack we all need to look out for.
- Keep your door open to any questions that your employees may have. Your staff may worry about wasting your time or asking you something they feel is not important. Recently I spoke with a CEO, whose organisation lost nearly £500k in a CEO fraud – he’s worked hard since to change the culture that previously did not encourage staff to voice their suspicions or to ask the simple questions that would have prevented the loss.
- Make it easy for your employees to report suspicious emails or other communications. Getting speedy visibility of potential attacks is a critical part of your ability to minimise the potential reputational and operational damage a successful attack can have.
- Target your security awareness training where it’s needed most. Identify the biggest human cyber risks you face and what behaviours enable these risks. Focus your time on reducing these risks by providing targeted and regular awareness training to your higher-risk employees and teams.
- Train your employees in their exact moment of need, i.e., when they display risky behaviour and don’t even realise it.
We specialise in helping organisations like yours manage their human cyber risks.