Awareness is key, the more aware an employee is the safer they will be as they perform day-to-day activities in a dangerous environment. Effective cybersecurity strategies employ the same focus on end user awareness.
The most effective safety programs are a result of employee awareness. The more aware, the less likely it is that employees will hurt themselves as they perform day-to-day activities in a dangerous environment. Effective cybersecurity strategies employ the same focus on end-user awareness. IT can only do so much without end users taking responsibility for how they access the internet and respond to emails.
It is relatively easy to set up firewalls, update operating systems and deploy antivirus software. Unfortunately, there is little to stop an employee from clicking on an infected link or incorrectly responding to a phish or spoof without completely disconnecting end users from the Internet. Disconnecting from the Internet would bring business to a halt. IT has to work with business to plug the vulnerability gap caused by software “between the ears.” Cybersafety should have no less a focus than any other safety program.
There are three components to an effective worker safety program which can be directly applied to increase employee cybersafety awareness:
All employees should have mandatory Cybersafety training. Just as plant employees are taught to wear safety hats, shoes and glasses, end users should be taught about strong passwords, safe Internet use and detecting possible phising or spoofing emails. IT is responsible for developing or acquiring relevant training materials and working with business to ensure training is deployed across the company.
Clearly communicating the importance of training is critical. While OSHA provides a strong external driver for safety training and compliance, there is really no equivalent body enforcing cybersafety. Key business leaders should kick off training sessions with clear emphasis on the importance of cybersafety compliance. Otherwise end users will ignore what is being covered in class by surfing websites they should be avoiding.
Keeping employees engaged throughout training is important. Duplicating the excitement of learning how to use an extinguisher to put out a real fire can be difficult. There are materials that create slot-machine like flashing screens and annoying beeping sounds when a computer is infected with a virus or a phishing link is clicked. Allowing employees hands on experience with these materials ensures the proper level of engagement.
Most plant breakrooms have a variety of safety posters on the walls. Entrances highlight how many days the since the last reportable injury. Bathrooms have urine hydration charts to ensure employees know when they need to drink more water. Meetings start with a safety minute that covers a broad range of topics from fire alarm muster areas to brief descriptions of safety violations and subsequent consequences. These constant reminders and materials are intended to keep a high level of employee safety awareness.
IT should work with business to duplicate messaging and materials to keep a high level of Cybersafety awareness. The marketing or human resources departments can help develop programs that can be shared across the company. Posters with messages such as “Don’t be a phool, don’t get phished” or clearly show what a spoof email looks like should be liberally spread in break areas. IT could work with the Health, Safety and Environment (HSE) department to expand the safety minute to remind end users of cybersafety.
The most important repeated message is the simplest. If anyone has a question about a website, link or email, contact IT immediately. IT should work with the business to quickly address real or perceived lapses in cybersafety.
Employees will be more diligent about cybersafety if there is a perception of being monitored or tested. IT should develop a series of phish and spoof tests to determine compliance. Clearly communicate the results via emails which no one reads or by postings in break rooms. Increase compliance rates by creating competition between departments to see who has the lowest fail rates.
After the first two or three rounds of tests, companies who are heavily regulated may even start logging failures in HR employee files. Companies with significant liability associated with cybersecurity penetration should consider a direct impact on bonus or overall employee evaluation rankings.
Either way, employees should have a clear understanding they are being monitored and tested. Compliance will quickly follow in this situation.
IT may have difficulty convincing business that a cybersafety program should be treated the same as other HSE programs. However, the risk and liability associated with a cybersecurity breach is high. IT can work with legal counsel to clearly understand the impacts of HIPAA, FISMA, HR1770 and recent Justice Department rulings on a company’s liability associated with a cybersecurity breach. To be compliant, business and IT will have to work together to address the main weakness in any cybersafety program.
Peter Purcell is a co-founder and managing director of Trenegy. He has more than 27 years of business and consulting experience focused on helping companies get value out of their systems. He has led ERP implementations, process redesign projects and change-management initiatives for companies in the energy, manufacturing and services industries. Peter is best known as a someone who can translate the languages of business and IT for clients as they address strategic issues.
Peter gives back to the community by serving on the boards of several nonprofit organizations. He is regularly featured as a keynote speaker at industry conferences and in university programs. He is the editor of Trenegy Perspectives, a quarterly publication that focuses on how companies can successfully leverage technology to support strategic goals and objectives.
The opinions expressed in this blog are those of Peter Purcell and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.