When you hear terms like “enterprise risk”, “data privacy and security”, or “cyber security” do you tune out? Do you think this is for only for highly technical or compliance experts to address? These issues aren’t just a technology or compliance issue. In fact, most data breaches are caused by everyday actions employees take unthinkingly, without malicious intent – habits cyberthieves have learned to exploit. “Employee error” is the #1 most common cause of a data breach, according to a 2015 report by the Association of Corporate Counsel. Sixty-six percent of data protection and privacy professionals agreed in another study published earlier this year, calling employees the “weakest link” in their efforts to foster high security standards.
According to Poneman Institute’s 2016 research, the average, consolidated costs of a data breaches grew from $3.8 million to $4 million year-over-year, not including the loss of customer trust. A data breach is potentially disastrous for organizations, and the likelihood of getting attacked increases every day. Employees are your first line of defense and security protocols work only when people take them seriously—both at work and off-site.
Employees who take data security seriously ensure continued integrity with data both inside and outside the enterprise. The trick is to turn employees into security evangelists. What does that mean, exactly? Security evangelists:
Understand that security risk is every employee’s responsibility
Comply with regulatory demands
Defend the organization actively from IT security risks
Safeguard intellectual property
Take data privacy extremely seriously
Protect against potential loss from data breaches
Act purposefully and think comprehensively about security threats in unexpected places – for instance, how they use their personal mobile devices or speak about work in public places.
Here are 5 tips for fostering a culture where all employees take ownership over security matters.
Design the message in a way that people remember it. Research shows that adults learn best when messages are broken into smaller pieces, directly relate to their work, and are taught over time. Break the most salient points into separate modules and make sure to repeat key messages. It might help your message “stick” with certain employees if you help them get inside the minds and motivations of cyber-thieves. Phishing and social engineering attacks are specifically designed to help hackers exploit innocent employees’ lack of security awareness. Cybersecurity is an actual, exciting battlefield out there with extraordinarily high stakes. Encourage your employees to fight back and protect themselves, their company and their customers.
Cybersecurity threats are always evolving, so a refresher course on a regular basis makes complete sense – and will reinforce more informed behavior while keeping employee skills current.
Carefully select security ambassadors and role models. Within every organization there are key influencers—leaders who most influence the workplace culture. Influencers are not always bosses but often simply effective, charismatic persuaders within their teams. Determine who those people are and ask them to a more active role in spreading the security message.
Equip leaders to drive change with engaging support materials. Design discussion guides for regional leaders to gain adequate support from key influencers. Offer them a communications plan to remind them of the frequency and messaging for follow up. That equips influencers with a cadenced plan to reinforce the message.
Measure changes in behavior, not outputs. In management, you get what you measure. Making security protocols a part of performance reviews reinforces the seriousness of data integrity and everyone’s individual role in fostering it. Conduct a post-launch survey a few months later to measure how behaviors have changed and to remind employee of best practices. Gamification can encourage employees to keep their awareness sharp and current and promote smarter behaviors.
Employees operate at the front line of the cybersecurity war. Inspire them to be vigilant protectors of security and privacy with a well-thought out communications plan.