​How to get your staff to take cybersecurity seriously

CNET@Work: If you fail to train your employees to be aware of potential security threats, you're inviting big trouble.

Charles Cooper Former Executive Editor / News
Charles Cooper was an executive editor at CNET News. He has covered technology and business for more than 25 years, working at CBSNews.com, the Associated Press, Computer & Software News, Computer Shopper, PC Week, and ZDNet.
Charles Cooper
4 min read

With technology increasingly intertwined with all aspects of business, CNET@Work can help you -- prosumers to small businesses with fewer than five employees -- get started.

Common sense only goes so far and you need to make sure that best practices around security don't go in one ear and out the other. Here's your attack plan.

When it comes to cybersecurity, software company AutoClerk makes sure that its 25 employees know they are on the front lines of something akin to a life-and-death battle.

"If they're not aware of cybersecurity before we hire them, we'll make them aware," said Charlotte Gibb, co-owner of the Walnut Creek, California developer that supplies software to the hotel and hospitality industry. "Our customers are often targets of cyberattacks and so we have to be very alert as to how this might affect our customers. We take cybersecurity very seriously."

She should. Cybercriminals are taking special aim at small businesses. About 18 percent of phishing campaigns targeted small businesses in 2011; the number has since soared to more than 43 percent of the total with phishing now the main vehicle for delivering ransomware and malware attacks.

The threats aren't confined to phishing emails. Most security breaches stem from careless employee decisions. Cybercriminals will try to infiltrate an organization by using social engineering tactics to gain employee trust. Or they might just leave around infected USB flash drives, hoping someone picks one up and plugs it into their computer. One newly popular ploy is the business email compromise in which scammers target employees who have access to company finances to fool them into sending wire transfers to fake bank accounts.

All can wreak havoc. About 60 percent of small businesses are unable to maintain their business more than six months after suffering a cyberattack, according to the US National Cyber Security Alliance.

Beating back the threat hinges on convincing employees to put in practice what they're taught about cybersecurity. Even then, there are still no guarantees employees will do the right thing.

"Unless you're willing to make your workplace uncomfortable and hang over someone's shoulder, you don't really know," Gibb said. "You basically have to trust your employees. At some point, you need to have a level of trust with the people who you've hired because you're entrusting them with your customers and your critical information."

Making the message stick

It's a popular -- and accurate -- cliche in the security industry that employees constitute a company's first line of defense against malicious or criminal activity. And that's why it's essential to keep preaching the gospel until best practices around cybersecurity become second nature to your people.

Education is the key to teach employees a shared sense of responsibility for the data that they work with. Any campaign should become part of an ongoing process. While some small businesses may feel they lack the resources, there are ways to direct an effective cybersecurity education campaign without breaking the bank.

● Don't opt for scare tactics. The goal is to build a culture of cyber awareness, so treat security awareness like a marketing campaign with the intent to persuade.

● Start small with a few videos or infographics to kick things off. Include posters, contests and other reminders to drive home an easy-to-understand message: security is everyone's personal responsibility.

● Don't waste time sending out long memos that will only get ignored. Keep it fun, keep it short. You're trying to educate employees about best practices, not forcing them eat their spinach. When everyone can have a good laugh, they can also learn at the same time.


USB thumb drive: carrot or stick?

Getty Images/iStockphoto

● Promote the theme with quarterly follow-up campaigns that stress cybersecurity awareness. Follow up the training by testing how well the lesson was learned. Send out occasional phony phishing emails to check how many employees still fail to recognize the threat.

Changing employee behavior may sound like a daunting task. But even if you can't eliminate all cyberattacks against the organization, you can still foster conditions that help reduce the threat. If employees walk away from the program with a more serious appreciation of basic cybersecurity, that's already progress in spades.

Carrots and sticks

"A security breach would destroy our reputation and could bankrupt the company," says David Cox, the CEO of LiquidVPN, a VPN supplier in Cheyenne, Wyoming.

It's a sobering scenario and it's why he deploys a constant mix of carrots and sticks to keep his staff "on its toes." For instance, Cox periodically drops a keystroke injection device disguised as a USB thumb drive in a hallway, bathroom or lobby. "If someone plugs it into one of our workstations, I get a report that contains their user account and device ID," he said.

He also contracts a third-party service that specializes in fake phishing and malware attacks. If someone fails a test or gets hit by a real attack, they get pulled aside and interviewed to figure out why it succeeded.

"We try to demonstrate what could happen if they do not take cybersecurity seriously and I reward employees that are proactive," according to Cox.

At the same time, if an employee does something exceptional or somehow demonstrates a high level of situational awareness, they get rewarded with tickets to a game, dinner for two or an Amazon gift certificate.

But in the end, the stakes are too high to let poor cybersecurity performance continue indefinitely.

"We give employees adequate training and if they are not able to demonstrate the kind of situational awareness our industry requires I would have no choice but to let them go," he said. "That hasn't yet happened. And I sincerely hope it does not."