Cybersecurity Awareness: Six Tips to Help Your Employees Be Cybersmart

We believe it's time for a new approach to cyber awareness, one that borrows on the concept of the shared responsibility model common in cloud computing. Here's how we get there.

How much consideration does the average employee give to cybersecurity in your organization? If you're like most, you'll see human behavior running the gamut from the zealous guardian, who reports suspicious activity on a regular basis, to the security scofflaw, who does everything in their power to circumvent safeguards in the interest of "productivity." 

In the 18 years since the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) first launched Cybersecurity Awareness Month, much has changed about the way we all live and work. Even before the COVID-19 pandemic, organizations in all sectors were undergoing digital transformation and migrating infrastructure and service to the cloud. The widespread move to remote work in 2020 only served to accelerate the pace of change already well underway.

Yet, a new global study commissioned by Tenable and conducted by Forrester Consulting reveals that many employees continue to view cybersecurity as a hindrance rather than a benefit. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, surveyed 479 full-time employees working from home three or more days a week. While the vast majority (81%) consider protecting customer data to be somewhat or very important, more than half admit to using a personal device to access it. Equally concerning, the study reveals that:

• More than four in 10 remote workers (44%) feel cybersecurity restrictions and policies make them less productive;
• A third (36%) delay applying updates to their devices; and
• Over a quarter (27%) admit to sometimes ignoring or going around cybersecurity policies. 

What do these findings mean for security leaders? It's safe to assume that, on any given day, a significant number of workers are avoiding basic cyber hygiene best practices, such as using only company-provided devices to access sensitive data, only accessing company systems and data via Virtual Private Network (VPN) and not connecting via public Wi-Fi.

So, what can be done about it? We believe it's time for a new approach, one that borrows on the concept of the shared responsibility model common in cloud computing. In this model, cybersecurity would be considered a corporate strategic objective from the top down. Every employee, regardless of position or rank, would have a "security scorecard" baked into their annual performance review metrics, given as much weight as the other measures of their success. Security leaders, in return, would commit to making it as easy as possible for employees to practice sound cybersecurity throughout their workday. 

6 tips for teaching employees how to be cybersmart

Moving to such a shared responsibility model is far more complex than it sounds. Creating a security scorecard for each employee would require robust asset management across business units so security leaders could have visibility into who owns each device or application and who they report to, and a centralized dashboard into which the findings could be continuously tracked. It would require careful attention to legal and regulatory concerns to ensure any measures put in place would respect the privacy of employees. And it would require significant resources to manage.

Yet, organizations can begin laying the foundations for such a model today. The following six tips offer ideas for how cybersecurity leaders can teach employees to be cybersmart:

1. Start small. Identify one department or team within your organization and spend time with them. Learn how they work and ask them to identify any security practices and policies they feel are working well and provide honest feedback about the ones they feel are holding them back. 
2. Make it seamless. Look for processes and solutions that reduce friction in the employee's workflow. Remember, the builders of consumer apps and devices prioritize engagement and ease of use; security tools and processes need to be engaging and easy to use, too, otherwise employees will avoid them.
3. Ask for help. Consider working with your organization's human resources, internal communications or marketing team to find new ways to engage employees. You're the security experts, they're the communications experts. Joining forces could lead to fresh ideas on how to educate employees and implement a cybersmart culture.
4. Explain the "why" behind your measures. Don't just tell employees what they need to do; help them understand why it matters to them. Show them how they can be part of the solution, not part of the problem. 
5. Be available. Push your executives to include time for cybersecurity discussions during every companywide meeting so you can constantly reinforce the messaging and keep people up to date on new efforts. Schedule regular "ask me anything" sessions with employees so you can address any misinformation and encourage continuous learning.
6. Make it worth their while. Understand what motivates employees and then build your program around that. For example, do employees at your organization respond primarily to financial incentives? Or do they prefer public recognition for their efforts? Does motivation vary by team or department? Take the time to learn what matters to everyone — ask what motivates the most zealous guardians and why the security scofflaws are avoiding your policies. 

While security leaders bear the greatest responsibility for keeping the organization safe, it's not something they can do in a vacuum. Building a cybersmart culture requires everyone in the organization, from the top down, to understand their roles and responsibilities. Finding the right mix of technologies, people and processes will help you increase the number of zealous guardians and reduce the number of security scofflaws in your organization. 

Learn more:

• Visit the CISA website for resources you can use to help educate your employees: https://www.cisa.gov/cybersecurity-awareness-month-resources
• Visit the NCSA website to access additional resources: https://staysafeonline.org/cybersecurity-awareness-month/get-involved/
• Download the Forrester study to learn more about the challenges of securing a remote workforce: https://www.tenable.com/analyst-research/forrester-cyber-risk-report-2021