Just yesterday, I wrote an article for a client on what is
known as “Compliance as a Culture”.
Essentially, this is a concept where you want all of the employees in
your company to be compliant not only with your Security Policies, but also maintain
strong levels of Cyber Hygiene that are possible.
Remember, we all have (or for at least most of us) have
heard of the word “Compliance” being used so much as it relates to abiding by the
CCPA and the GDPR.
But as I just mentioned, there is so much more to that. When it comes to abiding by the data privacy
laws, the fear tactic has always worked.
For example, as a business owner, I am sure that you would never want to
get audited, or worst yet, face all of those stiff fines and penalties. But using this kind of method can only work
so far, especially when it comes to your employees.
The technical term for this is also known as “Security Nihilism”. Even to this day, trying to scare employees
in training programs is a technique that is quite often used in order to make
sure that they come clean with all of your Security Policies.
But in the end, rather than fostering that so called “Culture
of Compliance”, you will literally not only create a wall between your IT
Security Team and your employees, but you will even have an atmosphere and
hatred.
One never wants this, as this will only lead to a huge
decrease in productivity levels for your company. So, what can be done about this? Obviously,
you need to come up with ways in order to treat your employees
differently. Probably the best way is to
approach them in a very non hostile manner, like treating them as a close
friend. Here are some tips you can
implement:
1)
Employees are not the weakest link in your chain:
I get so irritated when people say
this. Yes, employees can and will
mistakes, but it is not to mean that they did it intentionally. Remember that as a business owner, you are
far from being perfect either. Remember
your IT Security team can go only so far.
They need a lot of extra eyes and ears as well, and this is where your employees
will come into play, even all the way down to your overnight custodial
staff. In this regard, a lot of business
owners like to maintain that “gotcha” style of training. In other words, if a simulated Phishing is launched,
those that fall and prey are then taken aside and chastised. What is the point to this? As mentioned earlier, you are simply only
going to foster a feeling of hate and reprisal with those employees that fell
bait. Instead, take that employee aside,
and explain to them what happened. In
fact, don’t even mention the fact that he or she did something wrong. Rather,
after pointing the flaws that just occurred, tell them what solutions can be
used to rectify the problem. Taking this
approach will not only create a friendly environment, but you will probably
even have a more loyal employee to you in the end.
2)
Rewards always help:
From time to time, in order to make
sure that your employees are trying to maintain the best possible levels of
Cyber Hygiene, rewards can also be a great thing. For example, perhaps once a month or every
two, you should hold a contest as to who is not only maintaining those good
levels, but you should also take the opposite as well: providing rewards to those
employees that have reported security breaches that were actually looming in on
the horizon. Remember, giving out
rewards does not have to be a budget breaker.
Even small items, such as gift cards, a free gym membership, or even a
lunch or dinner out can go a long way for the human morale.
3)
Improve your Security Awareness Training
programs:
In Corporate America, the thinking
is that this is one a done deal, and that you should cram in as much info as you
can. But in all honesty, this is probably the very worst approach that you can
take. You need to keep your employees
sharp when it comes to spotting security vulnerabilities and gaps, and one of
the only best ways to do this is by having regular Security Training Awareness programs.
As a rule of thumb, this should probably be done at least once a quarter. Now, the next point is that your training programs
should be longer than 30 minutes, at max it should be 45 minutes. That is about the average attention span of a
human being. Anything longer than that will
simply lead to information overload. Also,
stay away from the boring lecture style format.
You want to make your training programs engaging so that your employees
will come with something at the end, and actually apply it. So make the
training fund and competitive, and even give rewards here as well. One of the best ways that you can take this
kind of approach is to utilize the concepts of what is known as “Gamification”. The bottom line here is that never make use
of the “Fear, Uncertainty, and Doubt (FUD)” approach.
My Thoughts On This:
Right now, we all are under a lot of stress and pressure, especially
with the new variants of COVID-19 coming out, and the situation happening in the
Ukraine. One of the very last things you want to do is add further pressure to
your employees by using fear tactics to make them straight about Cyber Hygiene.
I am strong believer of Karma, and what goes around comes around.
Taking the fear approach is only going to come back to haunt
you, and perhaps even cause your business to implode. Treat your employees like how you would want
to be treated: Respect and friendliness.
No comments:
Post a Comment