Ideas to Improve Employee Cyber Security?
Regardless of the sophistication of an organisation's technical protections, the attitudes and behaviours of employees will always play a major role in cyber and information security.
At a time when almost 40% of UK businesses identify a cyber attack in the last twelve months, organisations have a duty to do what they can to improve employee cyber behaviour and maximise their resilience to a broad range of modern information security threats.
Though there are many basic or foundational ways in which an organisation can seek to institute a general approach to information security, below are 5 less-obvious tips for improving an existing security program which we at Hut Six believe are worth your consideration.
Simulated Phishing Campaigns
Providing staff with the information needed to help defend against information security threats is of course an essential, but it is only by putting these skills to the test that we find out how effective training truly is.
Many security awareness training providers (including Hut Six) also provide as part of their package phishing simulators. Software which allows an organisation to send safe and specially designed mock-phishing emails to staff, testing their skills in a real-life, but secure environment.
In this testing, an organisation can identify both the departments and individuals who require further assistance or training, as well as gaining an understanding of their organisation's overall ability to withstand the most common form of information security attack.
It is also worth noting that several pieces of recent research have highlighted that phishing susceptibility appears to be independent from technical skill, i.e., staff working in more technical areas are no less likely to fall for phishing attacks (5 Anti-Phishing Insights Every CISO Should Know). As such, this kind of anti-phishing training is a valuable investment for all areas of an organisation.
As with many areas, proper communication is essential to helping improve your organisation's information security. From communicating new and emergent threats, to gathering feedback from staff about what new resources they may need to stay secure, ensuring lines of communication are open allows all key parties access to the vital information they need.
Though effective security awareness training should be a primary tool for much of an organisation's outbound threat communication, regular meetings or briefings are also an opportunity to make staff aware of the consequences of failings, incidents, or even breaches, as well as organisation specific reporting procedures.
Having information and cyber security as a regular feature of organisational communications also helps to reenforce the importance of the subject, keeping security in the minds of employees and engendering the spirit of a secure culture.
If you would like to learn more about communicating security information, in particular the concept of 'framing', be sure to check out our piece on the Psychology of Behaviour Change.
Train, Track and Test
As with simulated phishing attacks, one of the hallmarks of a mature information security program is ensuring that training is not only being undertaken, but also understood and put into practice.
When it comes to many other areas of business, organisations immediately understand the importance of metrics. For instance, if you are engaged in a digital marketing campaign, recording how many sales come as a result of the campaign is necessary to understand its success. Yet, in terms of information and cyber security training, too often organisations simply assume this is something that cannot be properly measured.
By investing in the necessary software to properly measure behavioural change, an organisation not only understands where and how it can improve its information security, but additionally, a security team can demonstrate value and return on investment to stakeholders.
Finding the Right Time
Although it may not be obvious, finding the correct time to provide employees with training may have a significant impact on its efficacy. Further elaborated in part II of our Psychology of Behaviour Change blog, research tends to suggest that behaviour intervention, such as information security training, is most likely to be effective when instituted at a time of significant life change.
With those going through some form of upheaval (moving house, starting a new job, etc) in the preceding 3 months considerably more likely to report changes in behaviour, it follows that organisations wishing to maximise their investment in terms of information security training, would be wise to mandate training at an early stage of employment or following a change of role.
This 'window of opportunity', although not often discussed, could have serious implications for improving employee security compliance and additionally serves as a great opportunity to enculturate staff into their new organisation or environment.
Don't Forget the Basics
Although there are many facets to improving your organisation's information security, it is also important to keep in mind the fundamentals for information and cyber security.
Including topics such as password security, web safety, or encryption, we all need a reminder sometimes to help us make the right choices. Whether it is absent mindedness or complacence, avoidable human errors can have big consequences. Regular training goes a long way in helping to make security conscious behaviour consistent.
This kind of 'persistent training', as it is termed by some, is believed to be the most effective at helping individuals retain vital security information and maintain security compliant behaviour across extended periods of time, thus avoiding 'skill decay'.
Although deciding upon training frequency can be something of a balancing act, it is up to organisations to find a system which integrates into users' daily workflows, while maximising effects on overall security compliance.
Regardless of your organisations size or sector, as an ever-changing environment information security is always going to be a concern and an area for improvement. For this, a sustained effort is required.
Hopefully, with these tips for improving employee cyber security in mind, your organisation will adapt and improve to greet the information security challenges which lay ahead.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
5 Cyber Tips for your Business
Essential cyber tips for helping your business or SME improve information and cyber security.
The Benefits Of Maintaining Compliance For Your Business
By maintaining compliance for your business you can ensure operational efficiency, reduce financial risk, enhance public trust, engage your employees and realise your mission.
Top 5 Phishing Trends in 2022
Insights, trends, and statistics from the world of phishing in 2022.
10 Steps to Cyber Security
The main concepts of the Nation Cyber Security Centre's '10 Steps to Cyber Security' guidance.
Cyber Awareness Part II: The Psychology of Behaviour Change
Part two in our blog series examining how the psychology of behaviour change will help us deliver effective awareness campaigns.
5 Anti-Phishing Insights Every CISO Should Know
Based the latest scientific research, tips to reduce human error and protect businesses against phishing attacks.
Cyber Awareness Part I: The Psychology of Behaviour Change
Cyber awareness helps reduce human error and insecure behaviours. Examining how the psychology of behaviour change will help us deliver effective awareness campaigns.
Why Organisations Need an Email Security Policy
An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.
Human Error in Information Security
When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.
Investing in Information Security Awareness Training
Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021