Communicating Cybersecurity Issues
Ten of the best ways to communicate the importance of cybersecurity to employees include starting communicating from their first day, using powerful analogies, performing practical training exercises, taking advantage of one-on-one opportunities, using multiple communication techniques, adapting information to the audience, connecting office security to home security, highlighting the positive behaviors of top executives, involving the communication experts, and celebrating the successes.
We searched for the best ways to communicate the importance of cybersecurity to employees by exploring the websites of large and respected publications such as CMSWire, CSO Online, Forbes, Wall Street Journal, and New York Times. We also searched further for articles that discuss cybersecurity and employees, as well as cybersecurity communications.
We found only one credible, directly relevant article from CSO Online, titled "How managers can best communicate the importance of cybersecurity to employees" which provided the only list of the best ways. We have supported that finding with articles from other credible sources like Forbes, CMSWire, and Tech Republic on the same topic. The articles from the other sources include "How To Talk To Your Employees About Cybersecurity (Without Putting Them To Sleep)", and "How to make your employees care about cybersecurity: 10 tips". We avoided the use of websites of software companies and also wrote the analysis in a conversational tone as requested. The details of our findings are provided below.
Start communicating from their first day
New employees are usually eager to impress the company. They are very receptive and keen to do what is right during their onboarding period. You should make cybersecurity a crucial part of their onboarding process using the following three-part strategy: a general introduction of the cybersecurity policies of the company, an interactive, practical training that covers basic security threats like phishing and email scams, and information about their access to sensitive data and the implication of loosing such data. “Employees aren’t left guessing, for example, whether they can connect their personal Bluetooth fitness tracker.” Cybersecurity awareness can also be part of your company’s periodic digital literacy assessments.
Use powerful analogies
Analogies can have a great impact on results, and it could either be positive or negative. “Analogies reveal connections, spark innovation, and sell our greatest ideas".
Perform practical training exercises
"Live fire" training is the best way to communicate cybersecurity messages. Always make use of opportunities to practically demonstrate cybersecurity issues rather than talking about them. You can simulate a situation where an employee "becomes the victim of an attack that's actually orchestrated by your IT department or an outside vendor, and then they're asked to understand the lessons they've learned from that attack, and the implications on the business, on their personal lives and how they could have prevented it".
Take advantage of one-on-one opportunities
A powerful strategy you can use is to speak immediately with employees if their computers experience a security breach as a result of their actions, rather than waiting till a later time to discussing the issue in a general meeting at a later time. "Educate at that moment. It can be private, but it's very powerful at the time of failure".
Use multiple communication techniques
Combine recurring information using unique delivery methods. Your communication techniques can include e-learning training, simulated cybersecurity treats, “simulated physical social engineering drills to test in-office security, email updates, and lunch-and-learn sessions”.
Adapt information to the audience
Be acquainted with the unique responsibilities of different employees and departments and the associated cybersecurity risks of their activities. Then you can deliver the relevant corresponding information accordingly. For example, “your software developers are more likely than your AR clerk to need reminders regarding cloud storage security”.
Connect office security to home security
If you can provide relevant solutions that will help employees to mitigate their cybersecurity risks at home, it would be a great way to boost the relevance and awareness of the message.
Highlight the positive behaviors of top executives
Engaging the leadership of your company so that they can model positive cybersecurity behaviors is a best practice, it is also essential to the security of your employees as well as the reputation of your company. Take opportunity of such positive behaviors of your company’s top executives and encourage them to share how they maintain a security-conscious mindset.
Involve the communication experts
The top communication experts in your company may not be part of your IT team. Work on enlisting such people to communicate your cybersecurity message. You can partner with the HR and marketing departments to add more creativity to your message.
Celebrate the successes
High profile news about recent cybersecurity attacks on big companies makes people to assume that data breaches are inevitable and efforts to prevent them are not effective. Your IT team needs to use available to prove that such attacks are frequently thwarted. For example, “if an employee skips the bait in a phishing email and reports the attempted attack, or your team is able to overcome a ransomware attempt with a segregated backup copy, share the success”. Sharing and celebrating successes should be part of your communications strategy.