How to Convince Employees to Care About Security Training

When they’re trying to motivate employees to practice better security, C-suite executives will hail their staff as the first line of defense a company has against hackers and cybercriminals. What they often mean, unfortunately, is that employees’ poor security habits are costing companies time, money and a loss of critical information.

A 2018 survey by information security company Shred-It found that a company’s own employees are overwhelmingly the No. 1 source of data breaches. Three key takeaways from the survey found:

  • More than 25 percent of employees admit to leaving their computers unlocked or unattended.
  • Forty-seven percent of business leaders say human error has led to a data breach at their company.
  • Companies hit by data breaches spent an average of $3.6 million cleaning up the mess.

The numbers don’t lie: Employee negligence, which stems from a combination of ignorance and laziness, is costing companies millions. When small-to-medium businesses get hit by a cyberattack or a data breach, the majority are out of business within six months. How does the average firm fight against its own indifference? How does it impress the severity of how simple mistakes can have catastrophic results?

Cultivating employee motivation is hardly just a problem for security training. HR departments and C-suite executives have spent decades seeking the best practices to motivate individuals and teams. Here are a few ideas to get your employees excited about security diligence and vigilance.

Incentivize Training and Practice

No matter what industry your business is in, three things will always motivate 99 percent of your employees: free food, time off and money. You can combine all three of these motivational factors into a security training session. Hire a team of experts to put it on and use a conference room in your building or somewhere offsite to host it. Have it catered by a favorite restaurant and make it a half-day event, with attendees getting the rest of the day off as a reward for signing up. Pulling employees out of the office will get them focused away from their work duties, and the other two motivators will sharpen their senses to what they’re being taught. Keep the motivations going as you implement the practices. For example, employees who update their password every 90 days without needing more than one reminder get a choice of free lunch, a gift card or a half-day vacation time added to their yearly ledger.

Enable ‘Live Fire’ Training

Just because they’ve completed the training doesn’t mean your employees have retained a single thing. Use your IT department to send out the sort of phishing emails your employees have been warned about and see how each one responds. This can be done broken down by team or to the whole company at once. Those who delete or report the emails can receive a small reward, such as a gift card, for following through. The ones who fail to handle the situation properly don’t have to be ostracized, but can be made aware of what they should have done. If they fail several “training” exercises in a row, the option to have them retrain is a possible action.

Make Security Part of Your Company Culture

The more prevalent something is at your business, the more people will buy into this. Have your CIO or IT manager get involved during the onboarding process to impress upon new hires just how important security is at their new workplace. For veteran employees, make sure your messaging is being passed on through their team leaders. Avoid lengthy emails and memos that most employees will read the first two sentences before tossing in the trash. Instead, use videos and hang infographics in key places in the office, such as in the break room, near the copy machine, next to the coffee machine and, yes, even in the bathroom. Even if employees aren’t particularly interested in security, the repetition of seeing phrases and actions in visual form will help them recall said messages when they encounter something out of the ordinary online.

Be Transparent about the Bottom Line

Most of your employees are great at their jobs, but not all of them have the mindset or the interest level to think about the big picture. A huge motivational tool for enhancing interest in security is to show employees the actual step-by-step process of what an attack is and what it can do. While IT managers might be the best technical mind for a job like this, who you really want is a storyteller to capture your audience’s attention. Whether this is your CEO, the head of marketing or simply an employee who  everyone knows and respects, the goal is to keep the audience’s attention. Craft a script that details what motivates a cybercriminal to attack your company. Is it for financial gain? To swipe proprietary information? To aid a competitor?

Walk your staff through the steps that will happen after the data breach occurs, making sure to hit hard on the points that have the company spending thousands or possibly even millions of dollars repairing damaged infrastructure or recapturing customer trust through branding and marketing. Emphasize that the financial drain from patching the data breach will have long-term effects on the company’s ability to upgrade equipment, hire new staff, offer raises or enhance benefits packages.

Take Their Advice

Just like plenty of employees can’t always see the company’s big picture, plenty of C-suite executives are too far removed from individual workers’ day-to-day to see the details. Creating an open-door policy for suggestions and questions can stop some cybercriminals before they ever get a foot in the door, and lead to extra lines of defense.

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard
Marty Puranik

Marty Puranik

Marty Puranik co-founded Atlantic.Net from his dorm room at the University of Florida in 1994. As CEO and President of Atlantic.Net, one of the first Internet Service Providers in America, Marty grew the company from a small ISP to a large regional player in the region, while observing America's regulatory environment limit competition and increase prices on consumers. To keep pace with a changing industry, over the years he has led Atlantic.Net through the acquisition of 16 Internet companies, tripling the company's revenues and establishing customer relationships in more than 100 countries. Providing cutting-edge cloud hosting before the mainstream did, Atlantic.Net has expanded to seven data centers in three countries, with a fourth pending.

marty-puranik has 1 posts and counting.See all posts by marty-puranik