Beruflich Dokumente
Kultur Dokumente
Cybersecurity Awareness
inEmployees
Amy Hoggard, MS, CPA, CA, CFE, CIA
Security measures implemented in organi- the question remains, how do you engage
zations are only as strong as the employees employees to care about cybersecurity?
who use them. A strong password is only
effective if not written down or shared among How Cybersecurity Awareness
staff. In order to encourage employees to use Can be Increased
cybersecurity best practices, it is important Traditional classroom-style training has been
to explain why they are important and what used for cybersecurity awareness training by
could happen if they are not used as this will many organizations. Having a half-day, full-
help increase employee engagement. There day, or longer seminar discussing all the risks
are a variety of methods organizations can employees could be exposed to and how to
use to increase cybersecurity engagement, respond to them will help disseminate the
focusing on a succinct messaging of key points. information to employees, but the retention
of information within a seminar style course
Why is Cybersecurity Awareness is only 5 percent (Burge, 2015, p. 1, para. 5).
Important? Organizations should avoid having purely
Cybersecurity awareness training for employ- lecture-style training in order to increase
ees is vital for all organizations. A recent the retention level of employees.
survey by Axelos, a company that develops Incorporating role-play within this class-
information technology best practices, found room training will help increase retention
that successful cyber-attacks required the of information provided as the employees
help of an innocent person 90 percent of the are more engaged with the topic than just
time (Axelos Global Best Practice, n.d., p. 2, having the information presented to them.
para.3). Despite organizations now recogniz- Having the employees practicing and doing
ing that cybersecurity is important, a cyber- what is being taught increases retention from
security plan for a business is only as good as 5 to 75 percent (Burge, 2015, p. 1, para. 5).
its weakest linkemployees. Organizations For example, demonstrating the types of
now must determine how to engage their phishing scams and how hackers socially
employees to ensure that they are aware of engineer situations and providing the best
the cyber-threats that they could encoun- response in these types of situations will
ter. In addition to engaging employees, an help employees be better prepared when a
emphasis on the importance of preventing hacker attempts to gain information.
cyber-threats should be incorporated into One organization provided its employees
training to reinforce to employees that it with cybersecurity training, providing examples
is a serious issue that should not be taken of different e-mails sent to scam employees.
lightly. Real-life examples can help increase At the end of the training, the trainers told
the relevance and value of the training. the employees that they would be sending
Information technology specialists have out a test scam e-mail to see if the employ-
managed to convince senior management of ees would catch it. One employee received
their organizations that information security is an e-mail from the Chief Financial Officer
a significant issue and now they are facing the (CFO) requesting a wire transfer shortly after
challenge of increasing cybersecurity aware- the training. The employee forwarded it to
ness in employees. The results confirming the information technology department,
this are overwhelming. Axelos research found with the message Nice try. It turns out it
that 99 percent of information technology wasalegitimate scam not a mock one cre-
security specialists responsible for training ated by the information technology depart-
decisions believed that cybersecurity aware- ment. Even though the employee alerted the
ness learning and training is key to securing information technology department about
information in their organization (Axelos the e-mail, forwarding the e-mail could also
Global Best Practice, n.d., p. 2, para. 4). But cause damage. However, this would not be
something employees would consider unless which employees report it to the information
it had been specifically explained to them. technology department. For the employees
Although this is only anecdotal evidence, who do not report it, additional cybersecurity
it speaks to the value of role-playing and training could be scheduled. This sends the
simulations. message that the organization considers this
The limitation with the more traditional an important area for employees to consider.
types of engagement methods is the volume Once an organization has buy-in and is
of information that is necessary for employees comfortable with approaching information
to process is at an all-time high. Cybersecurity technology with any cybersecurity issues,
awareness training is not the only training how to deliver cybersecurity training in the
employees need and likely is not a priority most effective manner needs to be considered.
to employees, as their priority is to get their As discussed previously, lengthy seminars
job done quickly and efficiently. Information and classroom training may not be effective
technology specialists are faced with trying with the levels of information employees are
to have cybersecurity information retained expected to retain and process.
by employees who are constantly bombarded Rather than have committed trainingtime
with information. every quarter for cybersecurity awareness
Information overload is a huge concern for training, organizations should provide short
organizations, as all managers, supervisors, cybersecurity tips that employees can quickly
and departments are wanting their informa- understand and implement. One way to deliver
tion to be heard. Unfortunately for informa- cybersecurity tips is to have them pushed
tion technology departments, cybersecurity to employees computers once a week or
is not a priority for most employees as it biweekly so that they pop-up upon log in. It
doesnt directly impact their daily results or is important that the tip is short and include
how success is measured for them, and so an explanation for why it is important. For
it is downplayed. Cybersecurity awareness example, a tip could be Do not use public
is vying for the attention of already over- Wi-Fi networks to send or receive confiden-
whelmed employees. tial information. This is an important tip
The reality of any policy implementation but if your employees do not know why it
is that unless there is support from the is important, they are less likely to follow it.
top, implementation will be challenging. Following the tip with an explanation such
Cybersecurity awareness is not different. as When using a public Wi-Fi network, you
Buy-in from upper management is essential are more susceptible to hackers through the
for employees to consider cybersecurity network who can access the information will
best practices a priority. One way to help increase the likelihood of the user following
ensure that cybersecurity awareness training the tip. The timing of the tips is important;
is a priority is to incorporate cybersecurity if your employees are subject to a tip every
performance measures into each depart- time they log in or even on a daily basis,
ment as part of their key success factors. they may liken them to white noise and just
If employees are going to be evaluated on ignore them.
their cybersecurity awareness, they will Another way to communicate cybersecu-
make it a priority. This could be done in a rity awareness practices is to have catchy
variety of ways: reduction of cybersecurity posters or cartoons posted in the office. The
breaches, timeliness of reporting incidents to University of Michigan created posters for
the information technology department, or password security comparing passwords to
participation levels in cybersecurity training underwear. One poster said passwords like
of the department. Another way to evaluate underwear should be changed often, another
employees on cybersecurity could be to send said dont leave them lying around, and
a test phishing e-mail to employees to see another said not to share them with friends