Risk Management
Cyber Hygiene: How to get buy-in from employees
Good cyber hygiene starts with buy-in across the enterprise. Discover how CISOs can establish a company-wide security culture to reduce risk.
Cybersecurity Awareness Month 2022 Series
"However good a drug is, it is no good if people don’t take it or take it badly"
Dr. Anthony Fauci
Why is cyber hygiene important?
As the cost of a data breach continues to increase, enterprises must keep up with cyber hygiene best practices. But simply focusing on security controls and procedures like using antivirus software and applying security patches isn’t enough. We need to change our approach. Human behavior that leads to low security adoption rates and poor cyber hygiene must be considered to avoid data loss and security breaches.
Humans are often the first line of defense. Remote work and the influx in connected devices and mobile devices on insecure home networks has expanded the attack surface. Verizon reported that 82% of cyber incidents involved human error. And according to Reciprocity, only 55% of people are vigilant about cybersecurity when working from home. Thus, even if you have a VPN for remote workers, it’s rendered useless if they forget to use it before signing into their email.
Not only does this put the business at risk but employees are impacted as well. Costly security breaches can lead to bankruptcy or closures, leaving staff suddenly unemployed.
Barriers to good cyber hygiene
Why is it so challenging to get company-wide buy-in? Let’s look at the similar issue of patients taking their medicine.
At the 24th International AIDS Conference, presenters discussed improving outcomes and new areas of research, including the use of mRNA vaccines to help flatten the spread of the disease. Last year 650,000 people died from HIV. We know how deadly the disease is, yet the largest impediment to halting its spread is getting people to take their medicine. In the US, only 40% of patients take their daily pill regularly – more than 90% of the time. Another 20% adhere to their routine “sub optimally” – meaning 80% to 90% of the time. The remaining 40% follow it poorly, taking the medicine lest than 80% of the time. Three out of five sufferers do not follow their doctor’s recommendations.
CISOs and security leaders must accept that getting employees to follow cyber hygiene best practices is difficult. Human nature is very malleable, and not everyone is an information security or technology expert. Forgetfulness, fatigue, and other structural barriers can introduce weaknesses in your first line of defense.
5 tips to improve cyber hygiene
Businesses need to address these three barriers when creating a strong cybersecurity framework. For example, the closer the reminder is to the decision, the more effective the reminder will be. Resolving fatigue means designing security controls to make doing the right thing easier than doing the wrong thing. To understand those other structural barriers, we need to research what it is that compels people to make an improper choice, then tune and regularly update our cybersecurity interfaces to guide people to make the safe choice.
Here are 5 tips to achieve company-wide buy-in and avoid poor cyber hygiene:
1. Lead by example:
Don’t pull rank and – unbeknownst to IT – use your favorite app to conduct confidential business. Leaders are responsible for setting precedent and demonstrating what security looks like in everyday business practices.
2. Tell a story:
Storytelling is an effective method of communication. A majority of employees aren’t passionate about cybersecurity, so you can expect lots of glazed over eyes and turned-off cameras when you bring out the pie-charts. Instead of dry PowerPoints, build a relatable narrative that highlights a few recent incidents and how they impacted everyday business functions. For example, a story about a BEC incident that could shut down email accounts or stole money out of the bonus pool would certainly get the attention of employees.
3. Encourage collaboration and questions:
Encourage information sharing across all teams. Set up an inbox that staff can forward suspicious-looking emails to instead of leaving them to their own devices. Some staff may feel too intimidated, or fear being judged by security experts to come forward and ask questions. Positive, supportive communication is vital to encourage staff to work with security teams.
4. Simplify security systems:
Don’t let complexity be a barrier. Remove friction by setting up system alerts to remind employees to rotate complex passwords, update hardware and software, backup sensitive data, etc. If possible, create guided tutorials to help less tech-savvy employees follow policies. These don’t have to be Hollywood-grade productions; marked up screenshots with concise instructions will suffice.
5. Monitor metrics:
Using gamification, competitions, or quick – keyword: quick – tests in security training helps you monitor which modules resonated as well as employees’ knowledge levels. Furthermore, people are motivated by success. If your company-wide phishing test has great results, share those numbers with employees to encourage further vigilance.
Next steps
Cyber hygiene is not a complex problem, but it is challenging, which means we need to research and understand the underlying barriers to design solutions that support the safe choice.