Cyber-crime is on the rise. Your organization is at more risk today than ever – and that risk will continue to rise. How safe are you really? How exposed are you to hackers – and how equipped are you to thwart them?
To have good cyber security in the workplace, you need staff on your side. They’re your best defense – but only if they’re properly informed and motivated.
October is National Cybersecurity Awareness Month, so what better opportunity to get your employees up to speed. We’ve collected a whole month of cyber security tips for employees. One tip every day to engage your staff and improve your cyber security.
A Month of Cybersecurity Awareness Ideas
1. Enlist support from the top – Involve senior leaders to help you emphasize the importance of cyber security. This could be via a leadership blog, email or (best of all) video message – watching the message delivered directly from the top adds authority and credibility.
2. Play the numbers game – Exploit the wow factor of big numbers to grab employee attention. For example, Information Security spending is forecast to reach $174.5 billion in 2022. Or, the average cost of a data breach in the US grew from $3.54 million in 2006 to $8.19 million in 2019 – a 130% increase in 14 years.
3. Apply visual cues – Use unique branding for cyber security messages so staff immediately identify the nature of the message and act accordingly. Consistent colors, message style and a dedicated IS logo all build employee recall when used every time you send a message to staff.
4. Dedicate a high-priority channel – Only use high-impact communication channels for high-priority messages. Desktop alerts which bypass email and pop up on employee computer screens are very effective in getting attention fast when you need it.
5. Encourage questions – Invite questions from staff around the process, terminology or any other part of cyber security. Fostering a two-way dialogue is important in building bridges between the IS team and employees in the wider organization. It also demonstrates your receptivity to their feedback. Silence is the enemy.
6. Humanize the topic – Cyber security probably doesn’t interest staff the way it does for you. Consider creating a persona like Super Cyber Girl to deliver non-essential information. This would function much like brand mascots in advertising, adding creativity and interest to often dry topics.
7. Share your data classification protocol – Train staff on the importance of information classification in preventing information leakage. Gustavo Orozco, SnapComms Information Security Manager, says that by doing this, “data will be more secure, and organizations have more effective barriers against external attackers. When data is classified, and shared with employees, it can raise security awareness, preventing data loss and complying with legislation.”
8. Put idle screens to use – Employee computer screens are an opportunity to reinforce your key messages. Use corporate screensavers to promote correct online behavior or encourage staff to report suspicious activity. You can’t remind staff too often.
9. Use positive messaging – Encourage compliance with security policies by appealing to the psychological desire for pleasure. Showing employees the positive results of behaving correctly, such as personal satisfaction and peer approval, encourages them to associate pleasure with compliance. Who said psychology and security didn’t go together?
10. Optimize for audiences – Not all employees are working on a desktop in an office. Consider staff not in other environments when producing and sending your cyber security messages. Make sure messages are optimized for remote or field-based staff using mobile devices, or use digital signage to reach non-desk-based staff in common areas.
11. Gamify – Gamification is a great way of reinforcing a message in an engaging way that staff enjoy, not dread. A simple example of this is creating a staff quiz to educate staff and get them thinking about online best practices.
12. Establish champions – Create advocates in each department to ‘fly the flag’ for cyber security at a grass roots level – where employees have most interactions each day. These advocates can help you deliver IS information, provide updates and collect feedback, all at a much more granular level than IS Managers could do alone.
13. Jargon-bust – Remove the mystery behind cyber security ‘big words’ by listing terms alongside their meaning. For example, what is 2FA or two-factor authentication, what does cyber hygiene mean? Maybe quiz staff on what they think the terms mean to get them thinking.
14. Celebrate achievements – Bad news gets attention – and there are lots of bold stories about cyber-crime in the news. But add balance to your communications by also celebrating the things staff and the company have done well. Such as the number of phishing attacks stopped this month/year, or accolades you’ve earned for security compliance.
15. Use "storytorials" – Real world examples bring issues and risks to life. Employees understand that since this happened to someone, it could happen to them. But don’t just repeat the facts of the case. Make it into a story by describing the company, the types of people who work there and the elements they share with your company – before getting into the incident itself.
16. Integrate throughout employment – Cyber security isn’t a ‘one and done’ lesson. Integrate it into every stage of an employee’s life cycle with your company. That is, include it in onboarding materials for new hires, deliver a refresher after 1 year, and invite them to become departmental advocates (see above) after 3 years.
17. Make it memorable – Give staff something physical that jogs their memory every time they see it. Having a security-branded notepad or stress ball on every desk is a great way to keep the topic visible between communication campaigns. Plus, everyone loves a free gift.
18. Practice your plan – Run dummy scenarios with employees regularly (after all, you do this for exercises like fire drills). Make these as realistic as possible and ensure all key personnel are involved. As well as familiarizing everyone with the process in a close-to-life scenario, it also helps identify any areas of weakness that should be addressed.
19. Encourage positive culture – Promote company values around scam awareness. Cyber criminals are constantly developing new scams to trap unwary businesses – like AI-generated deepfake audio. Building positive culture around scams helps keep employees current.
20. Make it personal – Show staff how to protect themselves in their personal lives as well as professional. For example, how to protect their home computer, keep kids safe online, check for viruses, use password managers etc. This helps correct behaviors become second nature.
21. #socialize – Create a memorable tagline to use in all your comms or as a hashtag on internal social networks. The tagline for the 2019 National Cybersecurity Awareness Month is OWN IT. SECURE IT. PROTECT IT.
22. Get staff talking – Establish a collaborative online forum that allows staff to submit cyber security tips. The IS Manager or one of their team should act as administrator to moderate comments and encourage participation.
23. Test understanding – Since you’re putting all this effort into informing and engaging employees, it’s equally essential to test if what you’re saying is being understood. After each training session or communication update, test employee understanding. For example, ask employees to rate a series of passwords in order of security level.
24. Call in the experts – Calling in the big guns is often a good tactic. Staff tend to sit up and take notice of someone new, especially when in a position of authority. Arrange for a local cyber security specialist to visit your workplace and deliver a presentation to staff.
25. Use humor – Cyber security is a serious subject but injecting some humor into it can increase employee interest, when appropriate. Search for relevant memes or customize them with a picture of your IS manager. These are certain to get attention, which provides an opportunity for slipping information in almost unnoticed.
26. Create a repository – There’s a lot of cyber security content about. If you want staff to read it, you need to make it easy for them. Summarize useful resources you recommend on your corporate intranet or similar platform. Let staff know when updates are made so they are encouraged to access it regularly.
27. Practice makes perfect – Use progressive email testing in simulated attacks. Start comparatively easily, progressing to content that’s increasingly difficult for staff to identify as malicious. Track levels of staff compliance with your security policies. This helps define your potential risk level. When staff are opening or interacting with specific messages, that’s your area of greatest risk.
28. Challenge beliefs – It’s common for staff to have a relaxed attitude toward cyber security – as though it’s something which won’t affect them. That’s a recipe for risk. Challenge notions of safety with the reality and repercussions of big breaches. You’ll find all the ammunition you need here and here.
29. Keep a record – Use message validation to collect a record of employees’ agreement with cyber security policies. This is done by including an ‘I accept’ button in messages, which employees need to click to confirm they have read and understood the message. For IS Managers, this is an important tick for compliance.
30. Recap what’s been learned – At the end of Cybersecurity Awareness Month, send employees an email recapping the information they’ve learned throughout the month. If you’re feeling generous, award prizes to those staff who performed well or who actively participated.
Cyber security in the workplace is everyone’s business. Take the opportunity of this year’s Cybersecurity Awareness Month to get every employee behind you – and banish the hackers.