Melanie Armstrong joined Mimecast in May 2020 as a Digital Marketing Specialist. She has a wealth of experience in providing impactful marketing solutions across a variety of industries and clients. Melanie takes great pride in her work which has seen her recognised through the Media Federation of Australia and Pro Print Emerging 50 awards. She enjoys helping businesses to stay informed about cybersecurity in Australia, and how to remain resilient in this space.
Fostering a cyber-positive culture in your organisation takes a lot of work. Large numbers of people remain unfamiliar or uncomfortable with cybersecurity, and many awareness programmes are built around shaming offenders.
But shame is not an effective motivator. Instead, companies should work to build a supportive business culture, in which colleagues feel informed and comfortable enough to report risks and identify threats.
Employees can be a cybersecurity risk, or a cybersecurity asset
Every employee is a potential target for cyberattacks. If you’re concerned about the role of your staff in cybersecurity threats, you’re not the only one. In 2021, Mimecast research showed that 65% of businesses in Australia believed employee behaviour was putting their company at risk, while 69% have been hit by an attack that spread from a compromised user to other employees.
That risk has been amplified by an increase in remote working since COVID-19 struck, offering attackers a larger, and potentially less easily managed, surface area to exploit. Given all this, it can be tempting to see not just hackers, but also your own colleagues, as a potential threat. On the flip side, that also means well-trained, and cyber-aware employees can be a powerful defense.
Shaming can hurt your training goals
The negative attitude towards employee cyber-behaviour can be compounded by the wrong office culture. Shaming the source of a security beach is nothing new. Some firms, in the course of penetration testing, have sent fake phishing emails to internal recipients to see who follows the links and shared the results company-wide. Others have even publicly criticised colleagues who’ve given employees the wrong system privileges.
Both these measures have good aims. Fake phishing emails can give your staff practical experience of potential threats, and improperly managed access is a problem worth drawing attention to.
But any training program built around shaming people is deeply flawed. Guilt and shame do not build good behaviour: shame in particular, as Scientific American notes, “reduces one’s tendency to behave in socially constructive ways” and causes us to “direct our focus inward and view our entire self in a negative light”. Embarrassing staff for their mistakes doesn’t help them learn, and definitely doesn't create a healthy company culture. Employees will start to feel like you’re not on their side, but are out to get them.
How to create a cyber-positive culture that sticks
Thankfully, there are far better ways to educate your workforce and keep them engaged. For starters, of course, there’s awareness training. It should be conducted regularly to keep staff aware of new threats and reinforce lessons that may have been forgotten. Yet Mimecast’s studies show that only one in four Australian companies provide ongoing cybersecurity training.
How you train is just as vital. You can run modules educating staff in specific threats and company policies, and pat yourself on the back when they answer surveys correctly. But training is also about encouraging changes attitudes and behaviour, and making employees comfortable enough to raise their hand if they feel something is off, without fear of being penalised. Having an engaging, positive and supportive training program for staff is much more likely to succeed than one that penalises them.
Creating such a supportive cyber-positive culture is far easier with company-wide buy-in. Getting visible support at board level will add authority to any cyber awareness campaign, and help employees feel like cybersecurity is something that runs through the company, rather than simply a mandate that’s imposed on them.
HR may be able to offer advice and lighten the load, helping produce accessible training material that speaks to less tech-savvy staff. Reputable third-party trainers usually have the expertise to communicate business needs in an enjoyable way.
For best results, make it inclusive
Making training a regular, interactive event can help it stick. Some firms don’t shame poor performers, but instead praise particularly good ones, presenting top-ten tables of the best scores in training. Gamification can lighten what to some staff may feel like a dry subject.
Another key tool in increasing engagement is to make training relatable. Talking about cybercrime’s impact close to home – like the cyberattack that targeted a Victorian high school or hackers’ disruption of Channel Nine’s broadcasts in March 2021 – can make incidents feel more real. So can making training personal, and underscoring how the laptops on people’s desks and the phones in their pockets are portals through which everything from company data to their own personal savings can be accessed.
Back up cybersecurity talk with action
Making cybersecurity training more frequent and more compelling is a great step towards creating a cyber-positive company culture. But if that momentum isn’t backed up by processes to support it, it will be wasted. CISOs and IT managers also need to listen to employee concerns and their input.
That can be as simple as ensuring you are present and approachable. More formal strategies include web forms where users can report bugs and concerns about improper access, buttons to report phishing in company email, and setting up an IT or cybersecurity channel in your internal messaging channels. It means transparency – honestly reporting threats and mistakes, and keeping up a dialogue with your colleagues, rather than simply listing protocols.
Creating cyber awareness without fear
Shaming employees who make mistakes can be a natural reaction. But it can also create a climate of fear in which staff don’t want to speak up. A healthy cybersecurity culture will instead feature frequent, relevant and relatable training and a receptive IT team that works hard with other departments to build a culture of open collaboration in which risks are reported and hunches shared. Those employees who once seemed a risk can be one of your greatest weapons against cybercrime.