Ideas to Improve Employee Cyber Security?

Regardless of the sophistication of an organisation's technical protections, the attitudes and behaviours of employees will always play a major role in cyber and information security.

At a time when almost 40% of UK businesses identify a cyber attack in the last twelve months, organisations have a duty to do what they can to improve employee cyber behaviour and maximise their resilience to a broad range of modern information security threats.

Though there are many basic or foundational ways in which an organisation can seek to institute a general approach to information security, below are 5 less-obvious tips for improving an existing security program which we at Hut Six believe are worth your consideration.

Simulated Phishing Campaigns

Providing staff with the information needed to help defend against information security threats is of course an essential, but it is only by putting these skills to the test that we find out how effective training truly is.

Many security awareness training providers (including Hut Six) also provide as part of their package phishing simulators. Software which allows an organisation to send safe and specially designed mock-phishing emails to staff, testing their skills in a real-life, but secure environment.

In this testing, an organisation can identify both the departments and individuals who require further assistance or training, as well as gaining an understanding of their organisation's overall ability to withstand the most common form of information security attack.

It is also worth noting that several pieces of recent research have highlighted that phishing susceptibility appears to be independent from technical skill, i.e., staff working in more technical areas are no less likely to fall for phishing attacks (5 Anti-Phishing Insights Every CISO Should Know). As such, this kind of anti-phishing training is a valuable investment for all areas of an organisation.

Communicating Threats

As with many areas, proper communication is essential to helping improve your organisation's information security. From communicating new and emergent threats, to gathering feedback from staff about what new resources they may need to stay secure, ensuring lines of communication are open allows all key parties access to the vital information they need.

Though effective security awareness training should be a primary tool for much of an organisation's outbound threat communication, regular meetings or briefings are also an opportunity to make staff aware of the consequences of failings, incidents, or even breaches, as well as organisation specific reporting procedures.

Having information and cyber security as a regular feature of organisational communications also helps to reenforce the importance of the subject, keeping security in the minds of employees and engendering the spirit of a secure culture.

If you would like to learn more about communicating security information, in particular the concept of 'framing', be sure to check out our piece on the Psychology of Behaviour Change.

Train, Track and Test

As with simulated phishing attacks, one of the hallmarks of a mature information security program is ensuring that training is not only being undertaken, but also understood and put into practice.

When it comes to many other areas of business, organisations immediately understand the importance of metrics. For instance, if you are engaged in a digital marketing campaign, recording how many sales come as a result of the campaign is necessary to understand its success. Yet, in terms of information and cyber security training, too often organisations simply assume this is something that cannot be properly measured.

By investing in the necessary software to properly measure behavioural change, an organisation not only understands where and how it can improve its information security, but additionally, a security team can demonstrate value and return on investment to stakeholders.

Finding the Right Time

Although it may not be obvious, finding the correct time to provide employees with training may have a significant impact on its efficacy. Further elaborated in part II of our Psychology of Behaviour Change blog, research tends to suggest that behaviour intervention, such as information security training, is most likely to be effective when instituted at a time of significant life change.

With those going through some form of upheaval (moving house, starting a new job, etc) in the preceding 3 months considerably more likely to report changes in behaviour, it follows that organisations wishing to maximise their investment in terms of information security training, would be wise to mandate training at an early stage of employment or following a change of role.

This 'window of opportunity', although not often discussed, could have serious implications for improving employee security compliance and additionally serves as a great opportunity to enculturate staff into their new organisation or environment.

Don't Forget the Basics

Although there are many facets to improving your organisation's information security, it is also important to keep in mind the fundamentals for information and cyber security.

Including topics such as password security, web safety, or encryption, we all need a reminder sometimes to help us make the right choices. Whether it is absent mindedness or complacence, avoidable human errors can have big consequences. Regular training goes a long way in helping to make security conscious behaviour consistent.

This kind of 'persistent training', as it is termed by some, is believed to be the most effective at helping individuals retain vital security information and maintain security compliant behaviour across extended periods of time, thus avoiding 'skill decay'.

Although deciding upon training frequency can be something of a balancing act, it is up to organisations to find a system which integrates into users' daily workflows, while maximising effects on overall security compliance.

Regardless of your organisations size or sector, as an ever-changing environment information security is always going to be a concern and an area for improvement. For this, a sustained effort is required.

Hopefully, with these tips for improving employee cyber security in mind, your organisation will adapt and improve to greet the information security challenges which lay ahead.