For most modern organizations, cybersecurity has become a top priority. From basic protocols like firewalls and two-factor authentication to restricted administrative and network access, companies are taking steps toward tighter security in order to avoid becoming the next victim of a corporate data breach.
Where many companies struggle is ensuring that all employees understand and adhere to organizational security policies. To help you with this issue, we asked members of the Forbes Technology Council how leaders can encourage greater employee buy-in and compliance on cybersecurity procedures. Here is what they said:
1. Encourage Fun And Frequent Participation
Achieve long term buy-in across a broad employee base by making the cybersecurity policies and compliance procedures relatable and straightforward. Facilitate frequent but bite-sized training sessions to explain critical concepts while limiting the scope to a group’s security exposure. Emphasize compliance by associating threats to individual use cases and how a lapse can impact employees personally (privacy breach, identity theft, tax fraud). Make it fun by maintaining shared leader boards and competitive scorecards between teams and/or business units. – Mahesh Chaddah, Reservations.com
2. Recognize ‘Security Leaders’ At All Levels
Security compliance starts at the top. Every employee must understand the importance, as well as the risks, of dismissing it as “IT’s problem.” By making security policy implementation a priority and simplifying it by automating protections, you’re well ahead of the game. All companies, no matter the size, should have a “Chief Security Officer” – someone who has the responsibility of looking out for the company’s security interest and has a direct channel to the executive team. There should be no special workarounds for executives; they are typically the most vulnerable and targeted. Be sure to recognize “security leaders” at all levels in your company whose diligence, such as spotting a phishing attempt, saves you from an attack. – Gary Smerdon, TidalScale, Inc.
3. Communicate About Cybersecurity Frequently In A Variety Of Ways
Have a regular, steady cadence of communication and training. Discuss cybersecurity in forums, like all-company meetings. Engage employees through fun, interactive campaigns. Finally, show examples of what the threats look like so employees can better recognize them. – Christy Wyatt, Absolute
4. Gamify Education
Education and communication tend to be the best way to get buy-in from employees as to the importance of protocols and procedure adherence. Endorsing a team environment in enterprise security is key. Educating the team on the long-term repercussions of lapses, both to the enterprise and potentially them personally as well, is important. When it comes to education, using novel methods such as gamification should be attempted. This works for adherence compliance as well. – Jose Morey, Liberty Biosecurities
5. Make The Business Case For Cybersecurity
Give employees full and periodic visibility from the CEO level into how lack of compliance is impeding the business. For example, “We need to get ISO-27001 certified to improve our security posture so Fortune 500 companies can trust our product to improve their lives. We are currently 45% of the way there; here is where we are blocked.” – Ashar Rizqi, Blameless
6. Have An Employee-Focused Dialog About Security
We implement and improve employee buy-in around technology rollouts. Most often, we find that focusing on the people in the organization obtains the best results. Focusing on the employee means to seek to understand what your teams know about the problem and why it is important the organization move forward with a solution. We find explaining the procedural rollout, educating on the risks and reviewing known cases tackled by the organization help clarify the need for the solution. With an open dialog, often people together find they can implement the solution through the technology. – Cole Crawford, Vapor IO
7. Explain The ‘Why’ Behind New Security Policies And Procedures
Open and ongoing education, training and risk transparency are all key factors in obtaining employee buy-in associated with compliance and cybersecurity procedures. Security is often viewed as an inhibitor to productivity or worse yet, an organization’s approach to implementing a “big brother” program. When security policies, procedures, changes and new implementations are openly communicated, and the value and reasons why they are being put into practice are shared, employees are much more accepting. – Donald Schlising, Landmark Services Cooperative
8. Make It Personal
Make it personal first by demonstrating how cybersecurity impacts their personal lives and providing training to how they can protect the privacy of themselves and their children. Second, introduce them to what it means for the business, including how the company has access to employee bank accounts for direct deposit that it aims to protect, how the company stock price is impacted during a breach, how cybersecurity is compliance is necessary for the company to exist, and how security can be an enabler that allows a company to go faster. – Reinier Moquete, Advoqt Cybersecurity
By Forbes Technology Council