We asked a panel of 20 cybersecurity experts and business executives what advice they had for improving employee cybersecurity awareness. Here's what they had to say.
Humans are almost always the weakest link when it comes to security, and the link over which companies have the least control. You can leverage a vulnerability scanner and continuous monitoring solution to bolster your security posture and even implement security policies to hold your employees accountable, but even the most comprehensive cybersecurity controls will eventually fall short if your employees lack cyber awareness. Why? Because your employees may understand your policies and make an effort to follow them, but if they don’t understand the “why” behind the best practices, it’s inevitable that someone will take a shortcut or forget to report a suspicious email or incident, inadvertently opening the door to an attack.
They may dispose of an old device they previously used to access company resources without taking the necessary steps to remove sensitive data, or they may access the company network from an unsecured Wi-Fi network because they’re in a hurry to complete a task. They may fall short of following cyber hygiene best practices by writing down their recently updated password on a sticky note so they don’t forget to store it in their password keeper later. Cyber awareness is more about the actions your employees take because of the knowledge they possess than simply what they know.
Improving employee cyber awareness is an important first step in building a cyber aware workforce, but moving from cybersecurity awareness to actionable steps is what builds a robust information security program. Putting a cybersecurity awareness training program in place that clearly explains company policies and provides the tools for employees to practice cyber aware behaviors fosters a security-first culture that strengthens the weakest link: humans.
If you’re just getting started developing an employee cyber awareness program, the sheer volume of the knowledge you need to impart on your team can be overwhelming – not just for you, but for them, too. To help you focus your efforts where it counts, we reached out to a panel of cybersecurity experts and business executives and asked them to answer this question:
"What are the best practices for improving employee cyber awareness?"
Meet Our Panel of Cybersecurity Experts and Business Executives:
Read on to learn more about the best practices you can implement to improve employee cyber awareness.
Evan Eakin
Evan Eakin co-founded the Denver-based MSP Elevate Services Group. He has deep experience navigating organizations through transformation including program formation, cloud strategy and implementation, and setting up cybersecurity defenses.
"When it comes to the best practices for employee cyber awareness, it’s important first for…"
The leadership team to align on the appropriate strategy for a security awareness program, the employee expectations, and the measures of success for the program.
Second, it’s best practice for the leadership team to incorporate a security awareness program into any preexisting company-sponsored learning and development programs, so employees don’t have to choose one over the other but see their participation in security awareness as one-and-the-same.
The program should address information security risk areas that are real to the roles and responsibilities of those in the organization. For example, if the organization has a large traveling workforce, the security awareness program should have content that provides useful knowledge on how to avoid data compromises that happen on public networks, such as airports, mass transit, and coffee shops. The more relatable the security awareness content to the role, the more likely the employee will act on the suggestions and recommendations. Make the content easy to consume in short intervals and splice video training with lunch & learns or other formats of live, in-person training to allow for Q&A.
Katy Hinchcliffe
Katy Hinchcliffe is a highly regarded cybersecurity leader. With more than a decade of experience delivering a broad range of cybersecurity services to enterprise clients for global IT outsourcer Capgemini, notably managing the prevent, detect, and respond functions on behalf of RollsRoyce, Katy is now responsible for developing Littlefish’s Cyber Security practice.
"Nearly all organizations are investing in user security education and awareness…"
But almost 60% acknowledge that they need to do more. Companies need to be more creative in their approach to providing cybersecurity education, and it makes sense to actively test the success of any education program to measure the ongoing effectiveness of the content and delivery methods. Your employees have a critical role to play in your organization’s security. Your security policies and technologies enable your employees to carry out their jobs effectively, while contributing to a secure environment. This can be supported by a regular, concise, and engaging security awareness program, delivering security knowledge and engendering a security-conscious culture within your organization.
The stale approach of providing security education for new employees at a time when they are overwhelmed with a deluge of information, supported only by a tedious annual ‘refresher,’ is widely understood to be unsuccessful and frustrating for employees. The fact that users continue to click on links, enter credentials, and open malicious attachments is testament to the ineffectiveness of this approach.
That said, a robust security awareness briefing is important and enables expectation-setting from the outset, particularly in relation to user responsibilities. The best approach to delivering a cybersecurity awareness program is by providing sharp, focused, and relevant information to your users. You must be thorough and consistent, and the content must be delivered at regular intervals to maintain interest, embedding cyber awareness so it becomes habitual for your employees, not just in the workplace, but also at home. The information must be understandable, actionable, and easily digestible. This will ensure your users will have the information to recognize suspicious or unusual behavior, recognize their professional and legal responsibilities, and know how to react to a range of cyber situations.
Using engaging design and content to help bring real threats to life will give your employees the knowledge and experience needed in order to activate the right way in a real-life scenario. The content of your cybersecurity awareness program should be adapted to focus on industry-specific threats and align with your internal security policies.
Nelson Gomes
Nelson Gomes is the Head of Networks at NEC New Zealand and is responsible for the Communications and Security areas of the business including cybersecurity, network security, networking, microwave technologies, and optical transport.
"From old school phishing attacks to untrusted browser extensions to weak passwords and more, the opportunities for cyber criminals to gain access to your network and create havoc are numerous and need to be addressed with employees at every level of your organization."
While software can certainly help as the first line of defence against cybersecurity attacks, there are other steps to put in place that will help to minimize the threats both to your business and also to your employees on a personal level.
1. Mandatory Training
As part of any new employee induction program, a cybersecurity awareness course should be included. One of the biggest threats to an organization’s cybersecurity is the people that work there. More often than not, this threat is inadvertent, so putting in place a formal training program provides a giant step forward in the fight against cyber security threats.
While training at onboarding is an important step, it’s important that it’s not a ‘one and done’ approach. Cyber security threats are constantly evolving, and your training program needs to evolve at the same rate. Regular refresher courses should also be mandatory for all members of staff to keep them up to date with the new threats and what to look out for.
2. Regular Communication
While it’s great to get people in for regular training, this can be difficult in larger organizations where training demands for staff tend to be high and can get in the way of them doing the job they are being paid to do. Agree on a training program that meets the needs of all members of staff and supplement your training program with regular communications, either via a newsletter or intranet.
These updates should provide relevant examples of any cybersecurity threats that have occurred within the business as well as alert staff to any common threats that have been cited locally, nationally, and globally. Raising awareness of simple things like phishing scams and social engineering attacks can help to keep people from clicking on malicious links, reducing the threats to your network.
3. Encourage People to Report Suspicious Activity
One thing that people often fear is making a mistake. There are so many sophisticated ways that cyber criminals try to get people to click on a malicious link, and the fear of doing so or having done so can lead to people not reporting potentially harmful actions.
It’s important to communicate a message of support. Clicking on a malicious link can happen to anyone. It’s important to reiterate that people will not get in trouble for doing so – and instead, emphasize the importance of reporting any potential incident in a timely manner to help shut down the threat as quickly as possible.
4. Keep Things Simple
Cybersecurity can be confusing and can get complicated. Cybersecurity guidelines, manuals, and training programs will often be written by IT departments or security personnel and can be full of technical jargon that makes it difficult for employees to understand and follow.
Instead, get your IT or network security team to work with the marketing department on any communications to ensure that everything is written in a way that makes the information easy to understand and follow. Keep rules short and simple and in a language that makes it easy for non-IT staff to understand.
5. Cybersecurity is for Everyone
Cybersecurity is for everyone, not just the foot soldiers. It’s really important that cyber security training is carried out with everyone within the organization, including members of the C-Suite all the way to part-time and seasonal employees. Anyone with access to the network needs to be properly trained so limit the threats.
Many businesses ignore training the C-Suite, and this can often be more problematic given the level of access members of the C-Suite often have within the network. While it can be painful, it’s important that everyone is trained to the same level and undertakes the same training sessions in order to truly limit the cybersecurity threats within your organization.
Cybersecurity is one of the biggest threats to your business and having the procedures, training, and software in place to tackle these threats is crucial to protecting your organization.
Richard Rogerson
Packetlabs is an ethical hacking business founded by Richard Rogerson in Toronto, Canada. Packetlabs delivers ethical hacking services across North America to help improve security within several industries, including health care, financial, government services, law enforcement, shipping, SaaS, professional services, and more.
"Unfortunately, human error is all too common when it comes to an attack, so we recommend the following to try and minimize the chances of an attack…"
1. Discuss Training Options with Staff
Often, the modules employed are made at the exclusive discretion of upper management and/or human resources, without staff involvement. Depending on the nature of the workplace, this may not always end up with a full attendance come training time. It is best to include staff from all levels to come up with the best approach for teams to be trained. For example, sitting a team of industrial plant employees down and teaching them all the different ways their system could be compromised may not be the best approach since most would not work on a computer often, or even at all.
2. Keep it Relevant
When considering cybersecurity training options, similar to the first point, always make sure the discussed threats are relatable, real world practicalities in the given workplace. For example, an office where it is common to have guests would benefit from learning the details surrounding tailgating, card cloning, and security Wi-Fi networks.
3. Deploy Phishing Campaigns
In order to get a complete feel for staff awareness, it is wise to deploy a phishing campaign. This means someone either internal or external will send an email imitating something to try and get the employees to open the email and click the link or open the attachment. The type of email may be something like, ‘It's that time of year again, change your password!’
4. Pump up the Frequency
Unfortunately, attackers are coming up with new ways to attack regularly. It is no longer effective to have training annually or less often. We have started recommending that our clients do some sort of training with their employees quarterly. These do not have to be long sessions each time, just enough to refresh them and make them aware of any new techniques they should be aware of that may affect them.
5. Do Not Punish Staff for Their Mistakes
Mistakes happen. So, your employee has opened that email attachment during the phishing campaign. The whole point of the activity was to teach the employees how easy it can happen and how to identify a phishing email from a real email. At this point, that employee is likely going to start paying more attention to the details of an email to try and prevent it from happening again, meaning the campaign was successful. Reward employees on successful test runs, quizzes given during training, etc. Punishing staff will likely only result in reduced engagement during the next lesson, which will have the opposite effect you were looking for.
Pushpraj Kumar
Pushpraj Kumar is a Business Analyst at iFour Technolab Pvt Ltd.
"There are a few practices you can follow for improving employee cyber awareness…"
- Teach employees to be cautious when engaging in online activities, abide by client rules, and reach out for help when they encounter something suspicious.
- Employees should avoid pop-ups, unknown emails, and links.
- Require the use of strong password protection and authentication.
- Office Wi-Fi networks should be secure, encrypted, and hidden.
- Have a firewall for the company network.
- Don’t hesitate to invest in a quality security network.
- Install security software updates and backup your files.
- Reach out to your company IT support team about information security.
- Take the time to train employees about cybersecurity.
Michael Brengs
Michael Brengs is a recognized identity management expert and industry speaker who has been deploying identity management solutions for 20+ years and is currently a Managing Partner with Optimal IdM. Mr. Brengs attended the University of South Florida where he earned a degree in Management Information Systems and is a Microsoft Certified Professional.
"One of the best ways to educate employees about security threats is to make security awareness training mandatory…"
Include it as part of the company's annual training requirements. Whether it's a video, a class, or even a whitepaper that needs to be read with an employee sign off of understanding, anything is better than nothing when it comes to the safety of your employees and your network.
If you’re conducting training sessions, here are a few ways to make cybersecurity awareness training more engaging for employees:
- More one-on-one leadership and/or teacher interaction with the participants.
- More workshop labs so that participants can learn at their own pace in a hands-on environment.
- More explanation and breakdowns of basic security definitions so employees can learn how to fundamentally evaluate incidents (like a phishing attempt) that may arise.
Joe Cannata
Joe Cannata is the owner of Techsperts, LLC. Joe and his company have been providing the New Jersey community with information technology services for over a decade, including cybersecurity.
"We have found the best practice for improving employee cyber awareness is training…"
Basic employee training on how to identify malicious emails and other threats is paramount to organizational security. Security is best applied in layers, and one of the most important layers is the end user itself.
While firewalls, email security, and endpoint protection will filter out most of the threats, they will certainly not eliminate them all before reaching the employee. The last line of defense is always the employee. If employees have a basic awareness of how to identify common threats, it can save the organization a ton of time and money.
Tom Martinez
Tom Martinez is the CEO of tca SynerTech. Located in Berrien Springs, MI, Tom and his team have been providing technology services to the Berrien Springs community since 1997.
"Cybersecurity training is effective…"
To increase the success of the training, we find that small rewards for employees help make the training fun while reinforcing cybersecurity training concepts. Having a “loot” box that the top three employees who successfully identify security threats could choose gifts from helps build awareness while making it fun. The loot box can consist of candles, a Google Home Mini, gift cards, or anything else fun and interesting for employees.
Krystal Triumph
Krystal is the IT advisor IT Atlantic IT. Her specialties include Small Business Solutions, Hospitality IT Support, Technology Solutions, Medical IT Support, and many more.
"We have found these three steps useful for improving employee cyber awareness…"
Awareness: Explain the importance and why the company and employees are targets. Provide them with statistics and facts.
Review: Discuss the strategies and ways to look out for cyber attacks. Inform them of the company tools in place to protect them. Show them examples of different attacks they might encounter. There should be mandatory training for all employees that start with the company. Also, provide tools on how they can protect their personal data, not just the company information.
Test: After providing training, test employees with various different cyber attacks to see if they retained the information. This should be performed quarterly. Make it fun, provide rewards, and highlight employees that are keeping up with the training and passing the tests. Have discussions with users that fail the tests, and this should also be a part of their performance review.
Cameron Call
Cameron Call is the Technical Operations Manager at Network Security Associates, Inc. He has been with Network Security Associates for over five years. He obtained his MBA from WGU Nevada and is an IT enthusiast.
"A company needs to let their employees know what they expect from them for cyber awareness…"
This can be done with online video training – there is no shortage of companies doing this – or holding meetings, whatever format fits best with the company’s culture.
After the education, employees need to have their knowledge tested. For social engineering, this is usually done with company sponsored phishing campaigns. The test type should align with the education content.
The testing will generate conversation among employees. Maybe failing tests will result in a warning from HR or the testing can serve as a contest to see who doesn’t fall for them. I find that if employees know the company is out to “trick” them then they are a lot more vigilant about ALL attempts at trickery.
This education testing cycle should be ongoing.
Christopher Gerg
Christopher Gerg is the CISO and Vice President of Cyber Risk Management at Tetra. He is a technical lead with over 20 years of information security experience. He has experience in the challenges of information security in the cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial, and payment card industries.
"I am finding that many organizations are doing a poor job of prioritizing information security risks, including cyber awareness, appropriately…"
Part of this is a product of how the information is presented and the context within which it is presented. Part of it is mindset – many organizations’ management teams think of IT and information security as a cost center. They also think of the role of technology as one of convenience; websites are a nice way to market your company, and email is a nice way to communicate. In reality, many organizations find that their entire business grinds to a halt when their computing infrastructure is locked up with ransomware. In addition, I think that senior management roles focus on finances and classic business (MBA-style) strategy and not enough on security, and a good cyber awareness program starts with management.
Ultimately, management can do one of three things to address risk: fix it directly (buy something or change something), insure against the risk (transfer the risk to your cybersecurity insurance policy), or simply assume the risk (with knowledge of the impact if there is an issue as a result of the risk materializing). With the human risk, there is always some assumption of risk but "fixing" it with a cybersecurity awareness training program and having insurance as a safety net are the preferred methods.
Raising cyber awareness revolves around communication. Base the message in terms of risk to the organization and use approachable terminology. Why do employees need regular security training? What risks are we trying to address, and how significant are they? Security should be top-of-mind for everyone in the business, especially one that relies on IT services.
Marty Puranik
Marty Puranik is the President and CEO of Atlantic.Net, a web hosting solution that offers HIPAA-Compliant, Dedicated, Managed, and Cloud hosting services.
"The insider threat is a major risk to enterprise cybersecurity in today's digital age…"
Employee security training should be a part of your company culture, and the more widespread it is at your company, the more people will buy into it. Try having your CIO or IT manager included during the onboarding process to really drive home to new employees the importance of security at their new place of employment. For long time employees, ensure your message is being passed on through their team leaders. Try to stay away from long emails and memos, because a lot of employees will skim the first couple of sentences before deleting them. Instead, try creating some videos, or maybe hang up some infographics in main areas of the office, like the break room, near the water fountain, and even in the restroom. Even if your employees aren't that interested in security, repeatedly reading phrases and actions in visual form will help them remember said messages when something out of the ordinary occurs online.
Abdul Rehman
Abdul Rehman is a cybersecurity editor at VPNRanks.com.
"Cyber-threats have become a lot more common nowadays than they were before…"
Most of these can be prevented if there's employee awareness regarding the best practices to stay secure online.
One best practice that a company should implement is to ensure that employees realize that they are vulnerable to cyber attacks. Most employees think that these attacks won't happen at a company level, or that the company is way too secure. But the truth is, no matter how secure you may think a company is, it's always vulnerable. The solution comes after realization and acceptance of the problem.
Other than that, formal training programs and seminars can be arranged for employees to make them aware about how to handle company data that doesn't compromise its security in an engaging manner so the employee feels included, important, and responsible. They should also be taught about the basics like using encrypted and unique passwords and avoiding suspicious and spam links.
Joseph S. Zhou
Joseph has 20 years of technology leadership and innovation experiences in information security, risk management, and design of distributed enterprise software platforms. At Evive, Joseph is responsible for all aspects of security and privacy risk management and compliance. This includes enterprise security architecture, governance, commercial SaaS-platform and network security, security awareness training, and more.
"Cyber hygiene, secure-by-design culture, and privacy sensitivity are paramount…"
Some best practices we follow include two-factor authentication, segmentation, AI-based threat detection, DLP, end-to-end encryption, secure coding reviews, least privilege access control, and a proactive company-wide commitment to cybersecurity from the moment each employee is onboarded.
Security and compliance requirements are built into each new project's initiation phase. Our security team regularly launches disaster recovery and threat emulation campaigns to practice our response procedures, as well as our use of the tools involved. We've found regularly sending out simulated phishing campaigns to employees has improved awareness and diligence in spotting key warning signs of phishing attacks, and it has made us stronger as a company to mitigate that risk.
Michael Alexis
Michael Alexis is the CEO of Team Building.
"With cyber awareness, many companies default to the lowest effort for fulfillment…"
For example, organizations I’ve worked with would include a single bullet point in the company newsletter, or a short paragraph during on-boarding.
Instead, if you want to be successful with increasing cyber awareness, then you need to dedicate a meaningful amount of time and effort to it. We recommend hosting training workshops that are required for employees to attend. During these workshops, you can teach concepts and action steps for dealing with topics like phishing, safe software practices, and even online communication. A single, one-hour session even once per quarter can make a massive difference in awareness and understanding for your team.
Joe Flanagan
Joe Flanagan is the Lead Project Engineer at Tacuna Systems.
"There are several best practices to follow for improving employee cyber awareness...."
- Train your employees on cybersecurity.
- Create awareness on the dangers and problems of cyber attacks.
- Set strict rules that are to be followed.
- Monitor and enforce set rules.
- Associate workplace cybersecurity with personal cybersecurity. This is especially important with remote work on the rise.
Simon Nowak
Simon Nowak is the CEO of Authority Dental.
"Cyber attacks are a huge problem that concerns all modern businesses…"
Here are some best practices for how to deal with it and how to increase your employees’ awareness:
Implement a formal training program. Knowledge is power, so share some comprehensive information with your employees. Let them talk with experts about various aspects of security and cyber danger. You may also set up regular meetings that will help you to keep them updated.
Prepare an efficient alert system. This may be an email address for questions and doubts, an Excel file with blacklisted senders & unsecure websites, etc. In other words, anything that will ensure a clear communication between you, your team, and IT experts.
Have a little fun. Although cybersecurity is a serious topic, being scared will not bring any good results. So, organize some quizzes or contests for your employees. Keep them motivated and focused by enhancing their competitive spirit. Besides, who wouldn't like to win a prize?
Tan Ah Long
Tan is the Managing Director of Kudos CAS Consultants Pte Ltd.
"What we did was to engage a cybersecurity expert to send fake phishing emails to all my employees…"
A week or so later, we had a meeting, stating that it would be a few hours long. We asked the cybersecurity expert to share what happened with our employees and to teach them how to be more cyber aware and recognize phishing attacks.
Giving them a fake cyber attack scenario helped to raise my employees’ cyber awareness.
Luka Arezina
Luka Arezina is the co-founder and editor-in-chief at DataProt.
"When it comes to introducing cybersecurity to employees, I find that the best practice is…"
To implement cybersecurity training as early as possible during the onboarding process. Showing the employees how to recognize phishing attacks and how to avert them significantly reduces the risk of falling victim to it.
Next, similar to fire drills, training should be repeated every once in a while, at least once a year, but the more often the better. Training can come in the form of an internal network booklet, or even a quiz or test – experience tells us that showing the employees the real-life examples of phishing attacks is the best warning.
Training and occasional reminders of what cybersecurity threats look like are the best practices when it comes to improving employee cyber awareness.
Vanessa Keen
Vanessa Keen is the Owner at webSMART. She has more than 15 years’ experience in digital marketing and a penchant for all things WordPress, SEO, and content marketing. With an eclectic mix of projects from Fortune 500s, local businesses, and nonprofits, she and her team excel at helping clients maximize online reach in a fast-paced, constantly evolving digital landscape.
"At webSMART, cyber awareness is an integral part of our new employee training, and we have an IT security consultant monitor our activities…"
We have protocols and clear documentation for sharing sensitive data and credentials through secure channels. Team members are taught how to identify phishing scams, and if they receive something suspicious, we have policies in place to review the situation and then act accordingly.
