Although the likes of Equifax, Yahoo, and Home Depot have suffered devastating security breaches, many office workers still discount the threat of information theft. They leave their computers unlocked when they leave their desk. They share passwords with co-workers. They even let people tailgate behind them when going through secured doors. Security is the last thing on their mind, and they doubt their company will ever experience a breach. Does this sound like your office?
As a manager, you face the challenge of changing their minds. Whether you work in IT or HR, following the steps below will give you the tools you need to make your employees care about information security.
1. Update them with news of security breaches
One reason employees often shrug off the threat of cyber-attacks is that the prospect seems so remote. Hackers are not a visible enemy, and the odds of your operation getting targeted by them seems low. It’s human nature to evolve in response to seeable threats.
As a boss, whether an employer or a manager, you need to make this threat appear very visible to your workers. Throughout the month, bring news articles of information breaches to their attention. Attacks happen often, and you shouldn’t have trouble finding news articles about them. Look for materials relating to your industry, especially attacks on companies that are of similar size to your own. You want your employees to empathize as much as possible with the victims of these attacks.
Now comes the question of how to deliver this information. While an email might seem the most comfortable option, employees tend to ignore emails they deem inconsequential. They have more important fish to fry, and they might not take the time to read through an article. Bring this to their attention verbally, draw them into a short meeting and present the report. Try to get them to discuss the impacts of the attack. Ask them what damage this company may incur, both obvious (such as lost intellectual property) and subtle (such as damage to the brand or loss of customer confidence). Have them propose ways they could have avoided the attack. While they may not be information security experts, having them think like one, even for 15 minutes, will make a significant impact on their security awareness.
2. Create incentives (and disincentives)
Incentives are powerful. If you ask an employee to start using black ink pens instead of blue, the employee may or may not choose to comply. Humans can be stubborn creatures. But if you inform them that using black ink will score them points on their performance review, they will switch in a heartbeat.
You should make adhering to company security guidelines come with explicit boons and penalties for employees. These incentives don’t need to be attached to a performance review, but the consequences of being careless with passwords or keycards should be evident to employees. You want to create a sense in the company that a security-conscious employee will get ahead.
It’s equally important to have negative incentives. As you’ve likely seen, not all employees are seeking to advance in your organization. As long as their job is secure, they may not be inclined to change their behavior. But a negative incentive like points lost on a review would threaten their stability, and that might be the catalyst they need to start taking security more seriously.
3. Hire vulnerability testers
This approach is the nuclear option; it will cost money and time, but the results will be phenomenal. For those who don’t know, a vulnerability tester is a third party hired to evaluate your company’s security measures. The focus varies; some may only test your network’s security, others on physical security. You’ll need to pick a vulnerability tester who spotlights the type of attack that will most affect your employees. If you manage an IT team, a network attack may be appropriate; a non-technical unit may need a firm that tests physical and onsite security.
The testing team will attempt to break into your office. To run this simulation, most employees outside of management need to be oblivious to the impending breach.
Testers may attempt to enter the building by talking their way past the front desk, posing as delivery people or contractors. They may try to break in after hours and see what rooms and assets are unsecured. You’ll need to set boundaries with your chosen testing firm, such as avoiding disrupting company operations or damaging locks and windows.
The benefits of a vulnerability test are twofold: it will reveal weaknesses of which the company may have been unaware, and it will provide a concrete example for employees to see how easily information theft can occur. Ask your testers if they can film their attacks so that you can show your employees; once they see theoretically unauthorized people walking by their desks, able to read papers left out or steal exposed mobile devices, their security awareness will rise.
You can lead your employees to care about security. By applying these methods, your workforce will understand the value of information security, with your company better protected from the untold damage wrought by hacks.
3 Ways to Make Your Employees Take Information Security Seriously