How to train your staff on cyber security (and make it stick)

istock 000040883302large

A strong security policy is one thing. Employees’ actual security behaviors are often quite another. In the complex and rapidly changing world of cyber security, experts say that training is essential to keep workers up to speed – and ensure your business stays safe.

How do you teach employees security tactics, and make sure they actually utilize them? Try these five tips.

Lead By Example

Good security habits start from the top. If the boss has passwords affixed to his monitor with sticky notes, a computer left unattended and unlocked during lunch, or an unsecured laptop sitting on his desk overnight, why should employees behave any differently? The best way to instill good security behaviors in employees is to model them yourself as a manager. Follow security protocols to the letter; otherwise you can’t admonish others in good faith for failing to do so.

Send Out a Daily Security Tip

Dropping a hundred-page policy manual on every employee’s desk that outlines your security policy is a surefire way to guarantee it is never read or referenced. While formal security documentation has its place, security advice and tips delivered in manageable, bite-sized chunks are more likely to be effective at both training and reinforcing good security habits. These tips can be delivered in a daily email missive, either highlighting one point of your security policy, explaining a common security term (“What is phishing?”), or focusing on a recent security-related story in the news to help bring home the real risks of loss.

Rigorously Enforce Security Policies 

In many companies, particularly smaller ones, it’s a common habit to let security protocols slide from time to time. You may (smartly) require an in-person appearance from someone before resetting their password, but when time is tight and people are busy, the IT staff may go ahead and perform the reset over the phone. Mandate that procedure be followed on all such activities, even if the person on the other end of the line is a good friend and there’s no question of identity. Make sure both the IT department and the employee calling for help know that this isn’t a matter of distrusting either of them, it’s about protection from outsiders looking for holes in your internal processes.

Put Employees to the Test

Telling employees to watch out for things like social engineering doesn’t mean much. You might also want to see if they actually follow your corporate guidelines when a hacker calls. Why not put them to the test in a real-world simulation? In a social engineering situation, you can either pay a security expert or do the job internally. Either way, you only need to call an employee who has access to sensitive information – be it password resets or customer data – and attempt to coerce them into bypassing your security protocols. If they crack, you know you have additional training work to do. 

Make Security Tools Freely Available

Employees won’t use tools like data encryption, VPNs, and malware scanners unless they’re widely available and easy to use. Make these tools default products on every computer in the building. Extend this concept to anything related to security, including drawers and file cabinets that lock as well as paper shredders. Employees often have access to shredders or other secure document destruction bins, but they simply don’t use them because they’re a hassle or are located too far from their desk to bother making the trip. The overarching theory: Make it easy to adopt good security behaviors, and employees will catch on.

This story, "How to train your staff on cyber security (and make it stick)" was originally published by BrandPost.

Related: