How Companies Can Increase
Cybersecurity Awareness
inEmployees
Amy is an accounting, audit and fraud
awareness instructor at Camosun
College in Victoria, BC. She completed
her masters in cybersecurity and
computer forensic from Utica College.
Her areas of interest are fraud in a
cybersecurity context and increasing
cybersecurity awareness levels.
Hoggard_EI_163345.indd 1
Amy Hoggard, MS, CPA, CA, CFE, CIA
Abstract: In order for cybersecurity measures to be effec-
tive in the workplace, it is important for employees not to
feel overwhelmed by new security measures. Focusing
cybersecurity training on two or three key messages for
employees to take away will help increase the use of
best practices. Helping to make the cybersecurity team
appear more approachable will encourage employees to
be more comfortable asking questions or reporting any
suspected cyber-breaches. These are paramount consid-
erations in combatting cyber-threats. When employees
are given clear examples of what potential threats might
look like, it increases the likelihood that employees will
recognize and report the threats, therefore eliminating
the possible cyber-breach.
Keywords: cybersecurity awareness, cyber-threats, cyber-
attack, cybersecurity plans, fraud prevention, informa-
tion technology, Internet security, employee training,
best practices
Introduction
There is rarely a week that goes by without a news story
of a cyber-attack or security breach at an organization.
Organizations know that protecting themselves from
cyber-threats is important and they are creating cyberse-
curity plans to ensure they are minimizing the risk. What
is being found, however, is despite having good cyberse-
curity plans and controls in place, it is the employees
that are unknowingly the greatest risk the organization
faces in cyber-attacks. Cyber-criminals are capitalizing
on the weakest link in the organization and manipulat-
ing employees into providing sensitive information or
installing viruses on their behalf. Organizations need to
focus on educating their employees on where they might
be vulnerable to an attack as prevention is usually more
cost effective than detection and correction.
Expert Insights 2016 1
11/30/16 4:41 PM
 How Companies Can Increase Cybersecurity Awareness in Employees
Security measures implemented in organi-
zations are only as strong as the employees
who use them. A strong password is only
effective if not written down or shared among
staff. In order to encourage employees to use
cybersecurity best practices, it is important
to explain why they are important and what
could happen if they are not used as this will
help increase employee engagement. There
are a variety of methods organizations can
use to increase cybersecurity engagement,
focusing on a succinct messaging of key points.
Why is Cybersecurity Awareness
Important?
Cybersecurity awareness training for employ-
ees is vital for all organizations. A recent
survey by Axelos, a company that develops
information technology best practices, found
that successful cyber-attacks required the
help of an innocent person 90 percent of the
time (Axelos Global Best Practice, n.d., p. 2,
para.3). Despite organizations now recogniz-
ing that cybersecurity is important, a cyber-
security plan for a business is only as good as
its weakest linkemployees. Organizations
now must determine how to engage their
employees to ensure that they are aware of
the cyber-threats that they could encoun-
ter. In addition to engaging employees, an
emphasis on the importance of preventing
cyber-threats should be incorporated into
training to reinforce to employees that it
is a serious issue that should not be taken
lightly. Real-life examples can help increase
the relevance and value of the training.
Information technology specialists have
managed to convince senior management of
their organizations that information security is
a significant issue and now they are facing the
challenge of increasing cybersecurity aware-
ness in employees. The results confirming
this are overwhelming. Axelos research found
that 99 percent of information technology
security specialists responsible for training
decisions believed that cybersecurity aware-
ness learning and training is key to securing
information in their organization (Axelos
Global Best Practice, n.d., p. 2, para. 4). But
2 Expert Insights 2016
Hoggard_EI_163345.indd 2
the question remains, how do you engage
employees to care about cybersecurity?
How Cybersecurity Awareness
Can be Increased
Traditional classroom-style training has been
used for cybersecurity awareness training by
many organizations. Having a half-day, full-
day, or longer seminar discussing all the risks
employees could be exposed to and how to
respond to them will help disseminate the
information to employees, but the retention
of information within a seminar style course
is only 5 percent (Burge, 2015, p. 1, para. 5).
Organizations should avoid having purely
lecture-style training in order to increase
the retention level of employees.
Incorporating role-play within this class-
room training will help increase retention
of information provided as the employees
are more engaged with the topic than just
having the information presented to them.
Having the employees practicing and doing
what is being taught increases retention from
5 to 75 percent (Burge, 2015, p. 1, para. 5).
For example, demonstrating the types of
phishing scams and how hackers socially
engineer situations and providing the best
response in these types of situations will
help employees be better prepared when a
hacker attempts to gain information.
One organization provided its employees
with cybersecurity training, providing examples
of different e-mails sent to scam employees.
At the end of the training, the trainers told
the employees that they would be sending
out a test scam e-mail to see if the employ-
ees would catch it. One employee received
an e-mail from the Chief Financial Officer
(CFO) requesting a wire transfer shortly after
the training. The employee forwarded it to
the information technology department,
with the message Nice try. It turns out it
wasalegitimate scam not a mock one cre-
ated by the information technology depart-
ment. Even though the employee alerted the
information technology department about
the e-mail, forwarding the e-mail could also
cause damage. However, this would not be
11/30/16 4:41 PM
 How Companies Can Increase Cybersecurity Awareness in Employees
something employees would consider unless
it had been specifically explained to them.
Although this is only anecdotal evidence,
it speaks to the value of role-playing and
simulations.
The limitation with the more traditional
types of engagement methods is the volume
of information that is necessary for employees
to process is at an all-time high. Cybersecurity
awareness training is not the only training
employees need and likely is not a priority
to employees, as their priority is to get their
job done quickly and efficiently. Information
technology specialists are faced with trying
to have cybersecurity information retained
by employees who are constantly bombarded
with information.
Information overload is a huge concern for
organizations, as all managers, supervisors,
and departments are wanting their informa-
tion to be heard. Unfortunately for informa-
tion technology departments, cybersecurity
is not a priority for most employees as it
doesnt directly impact their daily results or
how success is measured for them, and so
it is downplayed. Cybersecurity awareness
is vying for the attention of already over-
whelmed employees.
The reality of any policy implementation
is that unless there is support from the
top, implementation will be challenging.
Cybersecurity awareness is not different.
Buy-in from upper management is essential
for employees to consider cybersecurity
best practices a priority. One way to help
ensure that cybersecurity awareness training
is a priority is to incorporate cybersecurity
performance measures into each depart-
ment as part of their key success factors.
If employees are going to be evaluated on
their cybersecurity awareness, they will
make it a priority. This could be done in a
variety of ways: reduction of cybersecurity
breaches, timeliness of reporting incidents to
the information technology department, or
participation levels in cybersecurity training
of the department. Another way to evaluate
employees on cybersecurity could be to send
a test phishing e-mail to employees to see
Expert Insights 2016
Hoggard_EI_163345.indd 3
which employees report it to the information
technology department. For the employees
who do not report it, additional cybersecurity
training could be scheduled. This sends the
message that the organization considers this
an important area for employees to consider.
Once an organization has buy-in and is
comfortable with approaching information
technology with any cybersecurity issues,
how to deliver cybersecurity training in the
most effective manner needs to be considered.
As discussed previously, lengthy seminars
and classroom training may not be effective
with the levels of information employees are
expected to retain and process.
Rather than have committed trainingtime
every quarter for cybersecurity awareness
training, organizations should provide short
cybersecurity tips that employees can quickly
understand and implement. One way to deliver
cybersecurity tips is to have them pushed
to employees computers once a week or
biweekly so that they pop-up upon log in. It
is important that the tip is short and include
an explanation for why it is important. For
example, a tip could be Do not use public
Wi-Fi networks to send or receive confiden-
tial information. This is an important tip
but if your employees do not know why it
is important, they are less likely to follow it.
Following the tip with an explanation such
as When using a public Wi-Fi network, you
are more susceptible to hackers through the
network who can access the information will
increase the likelihood of the user following
the tip. The timing of the tips is important;
if your employees are subject to a tip every
time they log in or even on a daily basis,
they may liken them to white noise and just
ignore them.
Another way to communicate cybersecu-
rity awareness practices is to have catchy
posters or cartoons posted in the office. The
University of Michigan created posters for
password security comparing passwords to
underwear. One poster said passwords like
underwear should be changed often, another
said dont leave them lying around, and
another said not to share them with friends
3
11/30/16 4:41 PM