Today, we hear a lot about the consequences of hacking and poor IT security practices. It's also important for company employees to know what could potentially happen if they don't follow proper security procedures. But it's far from enough to just tell your employees about the negative consequences. One of the most important things in creating a healthy cybersecurity culture in your company is to create an environment where your employees are motivated to learn about cybersecurity and where it becomes a natural part of their daily lives.
You therefore need to take a people-centred approach that leaves room for questions and rewards employees for their work, rather than punishing them for making mistakes. Focusing only on the "scary" aspects of IT security and using them to get your employees to change their security practices will not work.
A strong cybersecurity culture involves every employee not only being aware of policies and procedures, but also understanding cybersecurity and the role they play in it. It also involves employees' attitudes towards cybersecurity and how it affects their actions. If their attitude towards IT security is characterised by fear and uncertainty, they are less likely to take an active role.
Scare tactics create a culture of insecurity
Fear-based tactics will only create uncertainty among your employees and affect their productivity in the long run. Uncertainty will lead to them often guessing and being more likely to make the wrong decision.
However, when employees feel secure because they are supported and encouraged, they will want to actively participate in improving and maintaining IT security.
Remove obstacles by coming up with solutions
Focusing only on what not to do and what happens if you make a mistake will not lead to optimal IT security. Because how will your employees know how to avoid making mistakes if you don't offer them solutions?
For example, when you want to implement good password hygiene, employees obviously need to understand why it's important, but they also need to know what to do in those practices. Here at Moxso we have a video series on great tips and tricks, including how to use a password manager and multi-factor authentication.
You need to give employees solutions so they can succeed in creating good IT security and feel safe when using software applications, receiving emails or handling company data. Providing resources and solutions increases trust among employees.
Your IT department needs to be accessible
Another problem with fear-based tactics is a lack of communication and transparency on both sides. Often, there are two reactions to this kind of tactic. Either it provokes fear and uncertainty among employees or it creates sceptics who believe the threats are being exaggerated.
Both reactions make employees feel that their employer or security team does not trust them to do the right thing because so much time is spent talking about consequences. This lack of trust can mean that employees will not communicate when there are potential safety issues.
Continuous training is the way forward
If awareness training is not a permanent part of your cyber security culture, a sudden introduction of awareness training may lead employees to believe that there are problems in the company or that they have done something wrong. Training may be seen as a punishment or a requirement - not something fun, exciting or positive.
This is why continuous awareness training is an extremely important part of a positive approach to IT security. It shows interest in employee development and helps them understand IT security. This doesn't mean that you shouldn't offer training in response to a bug or incident, but it does mean that employees will feel less exposed when these things happen because the training is already happening regularly, regardless of the circumstances.
Our cybersecurity training in Moxso consists precisely of continuous phishing simulations and engaging training videos and quizzes that employees can access whenever they want. This creates a naturally high level of employee engagement. In addition, our cybersecurity training motivates employees by awarding them points for their good work and commitment.
Punishing mistakes vs. praising communication
Often, mistakes occur because an employee was ill-prepared to handle a specific situation. It has been described that a company can try to prevent incidents by providing resources and solutions to employees, but if mistakes happen, use the san educational experience for all employees. It often takes a lot of courage to acknowledge mistakes and communicate them to others.
Praising people who communicate properly is an important part of a good cyber security culture. Employees will be much more likely to ask questions or admit mistakes if they know they won't just be punished for it. Prompt reporting leads to prompt investigation of the problem.
By taking a people-centric approach to cybersecurity, you can motivate your employees to stay invested in maintaining strong cybersecurity for the long term.
In organizations and companies that positively motivate their employees to become "IT bodyguards", awareness training and the overall cybersecurity culture are much more likely to succeed.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.