Well, it is hard to believe that we are halfway through the year now. So, in other words, have a Happy 4th of July everybody!!! Take the day off, relax, enjoy time with family and friends, and most importantly take the time to reflect for some time what the meaning and significance of this date in time really means.
As I take the time to reflect upon this, I also think about the Cybersecurity threat landscape that I keep talking about in my blogs, and in my everyday conversations with people. Apart from actually preventing Cyberattacks at all (which of course, we know will never happen), one of the other biggest obstacles that Corporate America faces (when I use this term, I mean every business ranging from the Fortune 500 all the way to the smallest of the Mom and Pops) is to actually convey to employees how important it is to maintain good levels of “Cyber Hygiene”.
There are many tried and tested techniques, such has having regular employee training programs, to even enforcing the strictest penalties for failure of Security Policy compliance. But from what I can tell, nothing seems to be clicking quite yet. So, as I was perusing the news headlines as to what to write about on this holiday, I came across an article which has a novel new approach.
That is, treat it like a marketing campaign, as you would for your product lines and services. In other words, use the same techniques that you use to woo customers to win over your employees. But the key here is, don’t treat them like that – think of them as customers that you want to win over. Of course, your product and service in this instance would your Cybersecurity strategies to protect your business, and to get their buy in for that.
Here are four ways that can help you to accomplish this task:
*Don’t just preach about Cybersecurity:
Keep in mind that your new strategy is now called, for lack of a better term, “Cybersecurity Marketing”. But as just described, your customer base is not the people who actually buy your products and services – your new customers are your employees, so the same lingo that you use for your traditional marketing has to change drastically, after all, they are a totally different kind of customer base. For example, you want to win the trust of your employees. This can only be done by really listening to what their needs, fears, and wants come when it comes to Cybersecurity. They need to be treated like a business partner, in order to get their buy in. Remember, using the fear tactic only works, and it will backfire. In other words, treat your employee like they are your best friend, and keep your language and lingo succinct and to the point. The most important thing to do is listen and be empathetic! Look for and examine the commonalties of what they are talking about. After all, when you try to win new prospects over, isn’t part of the sales strategy just to listen what their pain points are?
*Bring in an outside Human Resources consultant:
When trying to craft their Security Policies and figuring out ways in how to communicate that to their employees, many businesses and corporations, if they can afford it, will bring in a Cybersecurity firm to help to initiate these efforts. But keep in mind, these are “technical experts”, and are superb at what they do. In other words, they can help you strategically plan where to put your Firewalls and Routers, but they will not necessarily have the expertise in order to address the “human element” of your Security Policies – that is how to properly convey it to your target audience – which are your employees. True, this may cost some money initially, but the Return On Investment (ROI) will pay off in the log term. After all, what is even the point of creating and implementing a solid Security Policy when your employees won’t even abide by it? That is where an HR or Psychology Consultant can help you out. He or she can offer their own, unbiased views of how to properly communicate it so that you will literally win the hearts of your employees. Remember, you are not dealing with techno geeks – your employees are the average, everyday folks trying to make in it in life who may not even have a clue as to what Cybersecurity is all about. Don’t judge them negatively for that. I have this saying, that I try to make a conscience effort to follow: “Don’t judge somebody until you have walked a mile in their own shoes”.
*Relate only those parts of your Cybersecurity Strategy that matter the most:
I realize that this sounds of kind of weird, after all, you want all your employees to abide by your plans and ideas, right? Theoretically yes, this is true. But keep in mind that if your business is large enough (say, the baseline here is 15-20 employees) your employees are going to be of different employees. For example, you will probably have an IT department, HR, Accounting, etc. It is important to note here that they do not have to know everything that you are planning for. They just need to know what is relevant to them. In the end, that’s all they will care about. For example, with your IT staff, they will probably be primarily concerned with your policies on password escalation privileges, and your Accounting staff will be much more worried about those parts of your Security Policy that relate to audit controls and how to come into compliance with the many laws regulations, such as GDPR. What I am trying to get at is, don’t bog your employees down will extraneous detail, just get their buy in for what is relevant to them, and just convey those parts of your Security Policy. But also, keep in mind that you need to address general Cybersecurity concerns to all your employees, such as how to recognize a Phishing Email.
*Establish metrics to measure your goals:
These are also known as “Key Performance Indicators”, or KPIs. Once you feel, as business owner that you have overall won your employees buy in for your Cybersecurity strategy and approach, the next important thing is to measure, on a quantitative basis, how it is all faring. A typical example as to how this can be done is to see how many of your employees are practicing what you have preached them to them. For instance, you can conduct routine audits of your IT systems, or just approach your employees directly in a straightforward and honest approach. If you truly have won them over initially, they will be equally honest in their answers to you.
My final thoughts:
As I have said before, the Cyberthreat landscape is always changing, and is perhaps one of the most dynamic pieces of Corporate America. Technology can only carry your business so far, but the other part of the equation is the human element. There is that saying that employees are often the weakest link in the security chain, but they don’t have to be. They can be your best ally when it comes to fighting off the Cyberattacker.
The bottom line is that treat them as to how you would want to be treated, nothing more and nothing less.