How HR and L&D Can Create Cyber-Secure Cultures Within Organizations
October is Cybersecurity Awareness month in both the EU and the USA. In both parts of the globe, this is an annual collaborative effort between governments and industries to raise awareness about the importance of staying safe online and to provide information about resources to help people navigate the Internet in a more secure way.
Digital transformation is charging full steam ahead, and quickly. There are new, more insidious cyberthreats to be aware of – McAfee predicts that the continued growth of the Internet of Things (IoT) will inspire criminals to target those devices for monetary gain, and attacks will likely be more agile due to the application of AI.
As such, cybersecurity is an increasingly important area of focus for many organizations. According to Towards Maturity, however, only four out of ten L&D leaders reported that their team is able to help their organization manage cyber risks successfully.
In a world where software is only getting more malicious, and each individual – and his or her myriad accounts and devices – is a potential target for cyber criminals, it’s crucial that organizations ensure their employees are not only well-educated in cybersecurity, but also view it as a shared responsibility. Read on to get some tips on how to build a cyber-secure culture within your organization.
Don’t wait for October to think about cybersecurity!
It may be Cybersecurity Awareness month, but at Speexx, we like to think of this as a year-long thing. Education is one of the best ways to prevent hacks and other cybercrimes. Ongoing trainings, whether they’re quick, mandatory online tests or quarterly webinars, are key to drilling best practices around cyber hygiene in your employees’ minds.
This is where microlearning, or the learning approach that describes small learning units and short-term activities, might be very effective. Instead of forcing the organization to watch a 20-minute video about cybercrimes, you might consider nugget-sized games or five-minute graded questionnaires on a monthly, even weekly, basis. It’s also measurable, so you can see, in the example of gamification learning, your employees’ scores and who has finished what modules of training.
If training on this topic is not regularly instilled, it won’t be seen as such a high priority by employees.
Make cybersecurity fun.
As with all learning, people will pay more attention if they’re enjoying themselves. You might consider a role play scenario involving actual people within the company, and looping in the C-suite to both “humanize” your managers to the rest of the company, and also enforce the idea that cyber safety is indeed a priority.
Consider showing examples of how a minor slip-up – i.e., not using multifactor authentication, as recommended by Microsoft (sticking instead to the “ancient and obsolete” method of periodically changing passwords), or clicking on a suspicious link – can create a truly sinister chain of events for an organization.
Start with the basics.
Technology changes every day. Even Millennials are starting to feel like those from the Gen Z cohort are running circles around them when it comes to the latest hardware gadgets and software tools. That’s why it’s important to avoid making any assumptions about people’s cyber literacy, and instead start from the beginning with all of your trainings – not everyone might know what a VPN is, or be familiar with the benefits of single sign-on.
Cybersecurity might already seem daunting, so it’s important that everyone in the organization can learn from his or her level of expertise, and feel safe asking questions.
Continually manage risk.
You know you have a high level of risk if you’re hacked. But don’t wait until a catastrophe to determine how likely you are to be in danger!
Risk assessments can be performed on any application, process or function in your company, but it’s extremely difficult to perform an assessment on everything. You’ll need to identify internal and external systems critical to your operations, and account for data related to healthcare, finance and so on. For the hundreds or maybe thousands of categories of risk an organization may have, there is a wide variety of possible for threats for each one.
Common threats include: data leakage, misuse of information, loss of data, disruption of service or productivity, unauthorized access and more.
It’s worth noting that there are many companies who help with risk assessment, and sometimes getting a third-party expert to weigh in might help you identify blind spots. Whether the risk assessment is done internally or outside risk management and cyber security solution expertise is applied, it’s important to involve many key players across different departments at the organization to ensure you’re not missing any systems from any department that could be compromised.
Creating a successful cyber-secure culture involves continuous training, recurring emphasis on its priority with the organization – especially from leadership – and opening up a safe space for questions and feedback. Don’t wait until October to think about this again – this should be a “hot item” every month!