Cybersecurity is no longer the sole responsibility of the IT department. It made sense that the IT team monopolized cybersecurity before, given the limited access to IT assets in an organization. However, as more people in companies are given access to computers and online resources, there is expediency in getting everyone involved in security matters.
“Clearly, cybersecurity is everybody’s problem. It’s high time this truth was recognized, starting with the executive suite on down.” This declaration from cybersecurity expert Andrew Douthwaite in an article on CSO Online could not ring any truer. Everyone needs to be included in an organization’s cybersecurity strategy because everyone can become an exploitable vulnerability or source of problems.
IT teams may be able to keep up with the ever-increasing volume of cyber attacks and the unstoppable evolution of their techniques or strategies. However, when the attacks start taking advantage of the human weakness in cybersecurity, things can easily go for an ugly turn. There’s a reason why many think that humans are cybersecurity’s weakest link.
But how do organizations get everyone involved in their cyber defense strategies? What roles should employees play? What could be done to encourage employees who are not fond of getting new responsibilities?
Emphasize the need for cooperation
The point in enlisting everyone’s participation in cybersecurity is to boost an organization’s security posture, not to pass on the burden. It is about sharing responsibilities but not reducing the functions of the IT department.
It is understandable why some may have misgivings about getting involved in cybersecurity. The added seminars or training, new protocols, or even the need to install apps in BYOD gadgets can be quite cumbersome. However, these are necessary to fortify a company’s cyber defenses.
To drive the point of cooperation without making it appear that employees are being forced to do things that are not traditionally part of their job, it helps to adopt continuous security validation. This is one of the best security solutions in dealing with the evolving and rapidly growing cyberattacks at present.
Some continuous security validation platforms integrate the MITRE ATT&CK framework to take advantage of the most up-to-date cyber threat intelligence and methods for detecting, preventing, mitigating, and remediating attacks. This framework has an Initial Access detection stage that coincides with the phishing awareness and social engineering vector of a continuous security validation platform.
The phishing and social engineering vector would show how threats can manage to defeat security controls by taking advantage of the cybersecurity nescience of some employees who happen to have access to the enterprise network or IT resources. The security validation platform can conduct simulations to demonstrate this.
Again, even with the best cyber defenses and security validation tools, cybercriminals can succeed with their attacks by exploiting human weaknesses. It’s not too much to ask for everyone’s cooperation to ensure effective cybersecurity, especially when everyone can become unwitting tools for cybercriminals to break security defenses.
As Gartner analyst John Watts wrote in How to Respond to the 2020 Threat Landscape, “security and risk management leaders must confront the threat landscape based on a continuous assessment of threat and business evolutions.”
Cybersecurity training rarely finds enthusiastic participants in most organizations. To make cybersecurity learning engaging, the concept of gamification or the use of gaming mechanics and elements can help. Many companies are already using this approach to boost their cyber protection learning efforts.
A study by Pulse Training highlights the benefits of gamification in corporate training activities. Popular gaming techniques such as badges, avatars, leaderboards, rewards, levels, and challenges help boost motivation among participants. The study says it can raise engagement by 60 percent and productivity by 43 percent.
Gamification may not always work for everyone. However, it can deliver the expected outcomes with the help of the following recommendations from The Pulse Training study:
- Identification and understanding of the core need
- Knowing what employees want
- Offering incentives for engagement
- Establishing clear goals for employees to pursue
- Providing instant feedback
Introducing cybersecurity champions
Using role models for cybersecurity may not be as effective as having role models for leadership or excellent work performance. It’s not going to be easy to make people copy the cybersecurity habits of an employee since these actions are often not conspicuous or easily observable to other employees.
However, what can be done is to have cybersecurity champions in the workplace. Accenture Managing Director Robert Kress suggests this idea to actively inculcate security-first practices among employees. “Cybersecurity champions can not only act as advocates for security across the organization. They can also provide feedback to the central team on the effectiveness of security programs,” Kress explains.
“Cybersecurity champions” can be an informal designation given to employees who demonstrate enthusiasm in promoting cybersecurity and helping others understand the essence of it. They can be paid additionally for playing the role, or they can form part of the gamification scheme and collect rewards for doing tasks that promote cybersecurity.
Rewarding and reinforcing desirable behaviors
Accenture’s Ninth Annual Cost of Cybercrime Study reveals that fewer than a majority of companies incentivize cybersecurity. Only around 4 in 10 of the companies surveyed indicated that they offer rewards or incentives to employees or business leaders who show commitment to cybersecurity.
It would be ideal to have all companies rewarding their employees for being involved and engaged in their respective organizations’ security posture. This may entail additional costs, but the rewards for organizations are exponentially considering that the average cost of cyber attacks to enterprises is around $13 million according to Accenture’s Cost of Cybercrime Study.
Rewarding and reinforcing cybersecurity-enhancing practices requires monitoring, a task that can be handled by cybersecurity champions. At the same time, it is important to inform, commend, or reward employees as they faithfully follow security guidelines and best practices. This can motivate them and encourage others to do the same.
Encouraging a security-first culture
Providing training or orientations for cybersecurity is good, but they may not be adequately effective in establishing a workplace culture that emphasizes the need for cybersecurity. To promote cybersecurity-valuing culture, it is essential to pay attention to what people in an organization want and need.
Employees need to understand cybersecurity better, but they want the learning process to be interesting or engaging. As such, it helps to incorporate gamification and provide rewards. At the same time, it is important for organizations to make everyone realize the role they play in the cybersecurity ecosystem. In the context of social engineering-based cyber attacks, they can become the means to defeat security controls, but they can also serve as the obstacle to prevent sophisticated people-based attacks from succeeding.