Most large organisations now provide some kind of formal cyber-security training, and yet the incidence of security breaches continues to rise.
People use the internet more and more and receive more spam emails every day, and so have at least some awareness of the near-constant attempts made to elicit data or breach security. Internet use rises every day, and people use online messaging almost constantly; there is an app for everything.
In short, people know that a lot of personal, private and potentially sensitive data is out there and yet continue to behave in ways that cyber security experts would consider risky at best, downright dangerous at worst. So how can employers optimise engagement with cyber-security within their workplace?
Barriers to employee engagement
Understanding the barriers to individual cyber-security compliance requires an understanding of human nature.
The age of the internet has done nothing to change basic human feelings and behaviours, and before we can change behaviours we have to first understand them. Some of the key barriers to individual cyber security compliance are:
There are several reasons employees might just not care very much about cyber-security, such as not fully understanding the value of their data to both legitimate and unlawful information gatherers.
If people don’t feel a strong sense of ownership over their personal online information, they’re even less likely to be bothered about what happens to the private data of an employing organisation that they might not even value or care about – or even like – to start with. It’s hard to care about your employer’s valuable information if you hate your job.
The idea that people do know the value of data privacy, but find it easier to continue risky behaviours and just not really think about it.
There are now around 2-and-a-half billion active Facebook users; it is widely known that Facebook and other social media platforms collect and use our data in ways that make most of us at least a little uncomfortable, yet social media use is still rising. Human cognitive dissonance is what keeps cigarette smokers damaging their lungs, what keeps animal-lovers eating veal. It is why we continue to do what we want, despite what we know.
Unless someone really understands the importance of good password hygiene and cyber-security, there’s no reason they should engage with any behaviour changes that require even the smallest amount of time and effort, such as frequent or complex password changes. This is exacerbated by user-unfriendly interfaces, or by workplace IT systems not being intuitive for employees. For example, in a workplace with shared computers using individual log-ins, many systems will lock the desktop after a period of inactivity, to prevent misuse of other people’s accounts. If this lockdown requires the password of the account already logged in (or a full restart), people will share passwords to save time restarting computers or physically coming to unlock their account.
Someone Else’s Problem.
In a large organisation with a dedicated IT department and security team, employees may feel they’re a step removed from security breaches, that they have a virtual layer of protection as there are people dedicated to rolling out security updates and spotting attacks.
Even in a small company, there can be a feeling that cyber-security is someone else’s job. In particular, employees who feel undervalued already may have a strong feeling that cyber-security is out of their remit.
So what can employers do to ensure engagement with cyber-security requirements?
Education, education, education.
But education with an understanding that there are many different learning styles, and many different reasons people might and might not engage with web security.
Half of your employees might respond to a security awareness programme that hinges on humanising the negative impact of data security breaches, by eliciting empathy and personal responsibility. If a data breach in your organisation might mean that a sweet old lady gets a phone call asking for her bank details, make sure your employees know that.
The other half of your employees might only respond to a training session where they realise that they are accountable for cyber-security, as much as the IT team is. Some people might feel the weight of responsibility just from knowing that they have access to some important data and systems, and that they are trusted and valued. Some people might listen up if they know that a breach of your IT systems would allow access to their own personal information and HR records.
Tailoring training to the individuals in your organisation can be tricky, but it can be done.
In addition, depending on the size of your enterprise and the way it’s organised, team leaders should make an effort to be aware of the individuals within their team and their engagement with IT and security behaviour. Employees can be identified as needing more or different styles of training, and this should be routinely assessed and offered.
A robust data security awareness programme means giving your colleagues and employees a good understanding of the risks of security breaches. While helping to improve compliance with data security, a good training programme can also help to reinforce your employees understanding of their personal data and online presence. Incorporating personal safety into a broader training session on cyber-security can help people link their behaviour to potential risks. Examples of the human impact of past data breaches can help with engagement and understanding. Teaching people that what they do can make a difference on a huge scale will go a long way to improving their engagement with basic safety.
Want to learn more about security awareness training for your employees? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.