Originally posted on the AwareGO blog. Reprinted with permission. Training | May 9, 2019 | Ragnar Sigurðsson For over 30 years companies have been connected to networks and the internet. And for almost all of that time they have been dealing with cyber security threats. From all this experience one thing has become absolutely certain … The best way to secure your network and keep your data safe is security awareness among employees. Equally important is the employee engagement in security awareness training.ChiefExecutive.net wrote an article entitled, “Almost 90% of Cyber Attacks are Caused by Human Error or Behavior.” In reality, business owners often get great antivirus software and powerful firewalls and that’s great news. The bad news however, is that they forget to factor in the human element when it comes to cyber security. Security Awareness Training is an effective way to help avoid some of the cyber threats that exist in the world. Many of them will arrive on a business’s network via email attachments and malicious websites. Therefore, teaching your staff what to look for is an excellent way to reduce your company’s risk.Why is employee buy-in so important?We talk a lot about buy-in in almost everything that we do with staff. In every training, we hope to get employees emotionally invested in what we’re doing. The problem is that getting employees excited about a new loyalty card or the latest computer program is difficult. Cyber security awareness can impact every employee, customer, manager, and the company as a whole. Employees must understand that the impact of ignoring cyber security could mean the loss of their data or their jobs.
Employee engagement in cyber security because the cost of malware attack is high.Threats to the company and employee jobsAccording to Accenture, the average cost of a malware attack on a company is $2.4 million. In fact, most small businesses are out of business within six months after a breach. Larger businesses can suffer permanent reputation damage from a breach of customer data.It shouldn’t take much to explain to the staff that $2.4 million is a significant portion of salaries. It can mean the difference between a raise and no raise, layoffs, and lack of help, regardless of how busy everyone gets. In other words, cyber threats are not an abstract concept, but a very real and dangerous threat to the company and to every employee.Threats to the employees’ dataOne threat that most employees don’t think of is their personal data. Every employees’ social security number, their spouses’ and children’s social security numbers are on the company’s network. The same goes for their addresses, telephone numbers, emails and more. Their resumes can also be on the company network. Phishing scams on them, their spouses, or their children can all be easily done with the data that is on their resume. With any luck, all of this will bring home the idea that cyber security is in their best interests as well as the company’s.Formatting training for employee buy-inTo ensure employee engagement in security awareness training, make the training short and entertaining. In addition it needs to be informative, but it doesn’t need to be boring. The classes can take place over several days or even weeks. Just keep in mind that nothing annoys employees more than an 8-hour class on something that has nothing to do with their jobs. Therefore you should make the classes short and focus on one aspect of security at a time, such as email security, password security, etc.The key is to deliver lessons in smaller portions so that everyone can learn what they need to without getting bored.Another great way to make people aware is to use short security awareness training videos that provide them with learning without even needing to leave their desks. You can confirm that they took the course by having them fill out a test. You could also use a log-in tracker that tells you who looked at the whole training and who didn’t.Consider offering a reward for great behaviorOf course, not all breaches are obvious, but in most cases, it’s easy to tell how a virus or other piece of malware entered the network. Offering everyone a raise might seem a little outrageous. However, it will probably cost you less than $2.4 million and millions more recovering the company’s reputation.Let employees teach the classes or appoint superusers that can deliver security knowledge to their peers. Anything that “comes down from on high” is immediately tainted with boredom and strange policies that have no context. If you have an office full of machinists, it will be easier for a machinist to explain to them the importance of cyber security.The easiest way to ensure employee buy-in for cyber security awarenessThe short and simple answer is to include your employees as if their livelihoods depended on it. Because they do!Approach security awareness from the perspective that this is really their concern too. You’ll be able to speak to them in a way that makes them feel included and not simply lectured at.