It’s getting harder for the security culture to keep up with the unprecedented levels of cyberattacks each year. The numbers keep increasing, and the question about a data breach is changing. If you have a poor security culture, you shouldn’t ask yourself whether you’ll be hacked. Instead, you should ask when you’ll be hacked.
The culture of your company is what happens when no one’s looking. Will everyone strive to finish their work, or will they slack off? In terms of security, it’s what people are doing on their own devices. Will they click on a phishing link? Will they connect to a public Wi-Fi network? Are they using the same password for all accounts? The security of your entire company depends on the answers.
How to start building a security culture?
Many CEOs and managers believe that culture is a single PowerPoint presentation once a year. However, that’s not the case at all. It’s something that needs care and nurturing. You can’t change your personality and habits in a day, not even a week or month. You can only change a pattern by consistently working on it, which is also true about security culture.
You have to make it a life cycle that lasts. It needs to be fun and engaging, and it needs to offer rewards and a return on investment. You need to be aware that people might be the weakest links in any computer system.
Devices are simple and programmable. They do what they’re programmed to do. The issue is with the people that use them. A computer will never click on a phishing mail that tells it that it’s won millions of dollars from a distant deceased relative in another part of the globe. One of your employees might read it and enter their credit card details. Everyone wants to do the right thing, but they need to be taught how to do it.
Make it engaging and fun
No one likes to sit and listen to a boring presentation where the speaker just reads the words. That’s why you need to make it fun. Security is a serious topic, but who says that you can’t have a bit of fun with it?
To raise awareness about phishing emails, you can organize a writing workshop. Every employee can write an email based on publicly available information for their coworkers. This includes LinkedIn, Facebook, and Instagram. Hackers will do the same thing, so getting the knowledge early is essential.
Invite an ethical hacker
It’s one thing when you hear about the dangers of a security breach, but it’s completely different when you experience it. A great thing to do is invite an ethical hacker and have them perform a man-in-the-middle attack (MITM) in front of your employees.
Set up a public Wi-Fi to test the process, and ask for a volunteer or someone who connects to these kinds of networks all the time. Then, the ethical hacker can perform the MITM attack in real-time to show all types of information that real hackers can exploit.
An experience like this will open their eyes, and your employees will know the importance of using a VPN on their devices. Plus, if you show them that it’s easy to use, that’s another bonus. The fastest VPN won’t cause any change in browsing speed. They’ll be happy that their information won’t be exploited, and you’ll be glad that no one will use a weak point to target your company. Both sides win.
Reward the people who participate
After someone completes the program, compliment them publicly. You can also include a cash reward like a prize or buy them a yearly VPN plan. Let’s say that you give a hundred bucks to everyone who finishes the training successfully. The information about that will spread faster than light. All of the other employees will be happy to hear everything you say.
Think of how much it will cost if a data breach happens, and you could have avoided it. The average cost of a data breach is a few million dollars. If you’re concerned about security, you should put your money where your mouth is.
A few final words
Be creative when teaching the basics of security. Before you can hold your employees accountable for security mistakes, you need to teach them the right way. Help them make the right decisions.