Turn your employees into security advocates
- Posted on May 11, 2021
- Estimated reading time 4 minutes
This article was originally published in Forbes.
As cybersecurity fraud becomes ever more sophisticated and its threats to our businesses loom large, there are some surprising steps we can take to boost our companies’ layers of protection.
One of the most effective defenses is to encourage your employees to become active security advocates. Imagine how much more secure your operations would be if every single employee were knowledgeable about and on the lookout for online threats to your company.
It’s possible. While online fraudsters are continually devising more creative ways to break through your security systems, the reality is that the most prevalent threats are still the common ones. By encouraging all employees to recognize these typical threats and take pride in thwarting them, they become a powerful line of defense.
Establish your all-employee security team
It’s a self-reinforcing virtuous circle: The more advocates you have, the easier it is to instill a security mindset across the company, which in turn reduces your overall risk and increases your security posture.
By letting every employee know how important they are to your company’s ability to protect itself from outside threats, you reduce your company’s level of risk. Create an internal campaign that reinforces that recognition, and you will establish a culture that values alertness and encourages a competition that pits your employees against those who would do your company harm.
Equip your team with the basics
Once your team of security advocates is in place, they will need basic tools to be effective:
• A nonjudgmental reporting system. “If you see something, say something” is central to almost every security system on the planet. Do your employees know what to do if they run across something that doesn’t seem quite right?
The most prevalent online threats are still various forms of phishing — people getting messages via email or on their phones, often offers that are too good to be true. Recently, we have heard of criminals who duplicate a company’s email protocols and grab an online photo of the company leader, all to trick an employee into clicking on a link in a message they think is from the CEO.
So make sure your new front-line security force has ongoing training about what to look for — and give them the means to report something suspicious. Just like your ethics program, make sure there is no fear of retribution. It may seem odd to question a message that looks like it may be from the CEO, but better safe than sorry.
• Ongoing training. Of course, even if we trained everyone today, in a couple of months, we would have to do it again. New joiners must learn the culture and become part of the security chain. And there are always new vectors of risk, requiring the team to learn the new ways attackers are threatening us.
One thing we have learned at my company: To keep employees engaged, we have to catch their attention. To do that, we tell stories. In our ongoing security conversation with employees, we describe something that actually happened and how it was handled, whether at our company or another. We show how alert people made a difference and sometimes even discuss a situation that didn’t go so well.
• Professional support. If you have access to change management experts, enlist them! Our change management team helps us drive messaging, fine-tunes how we deploy programs and reminds us to make sure we think about end users. The team uses a mix of communications vehicles, from Yammer to emails to videos and more, to build ongoing communications campaigns, then changes them up regularly. And we make sure our news, information and advocacy have the support of company leadership and are not pigeonholed as just another message from IT.
Luckily, technology tools can help your employees become security-aware. At my company, we have deployed:
- An anti-phishing button. This appears on everyone’s Outlook toolbar. Selecting a message and clicking on the button automatically routes an email to our security group for analysis. Our next step is to build in metrics so that we can efficiently report the results back to people.
- Anti-phishing tests. Employees randomly receive a message designed to look like a phishing attempt. If they report it, they get an immediate message congratulating them for their sharp eye. If they miss a certain number of tests, they are scheduled for a training program.
- External message tag. An “external” alert that appears on messages that come from outside the company is a simple visual reminder to give the message a closer look.
- AI-powered multifactor authentication. Users signing onto our system from a company-issued workstation go through fewer security steps to gain access. If they sign on from a new or outside device, they will be asked to navigate additional security protocols. Our goal is to make it easy for people to do the most secure thing: use their company-issued equipment.
No matter how sophisticated our technology defenses get, human awareness and commitment to security will always be one of our most important tools to defend against cyberfraud. By training and empowering our employees to be front-line defenders, we are investing in one of the most effective defenses available. By applauding and rewarding their diligence, we are building a culture of security awareness that will help protect our companies for years to come.