No organization wants to end up in the headlines as the next corporate victim of a major data breach. For that reason, security awareness programs have become a staple component of every business, in nearly every industry, regardless of size or global reach. But there’s a huge difference between programs that set out to simply check the compliance box and those that actively work towards creating strong human firewalls.
The latter group proves that they care about their employees’ cyber well-being by shifting awareness training away from “this is what’s good for our organization” to “this is what’s good for all of us.” Focusing on personal security (as an extension of enterprise security) leads to an all-around healthier work environment that’s resilient to cybercrime. How so? Here are three reasons:
Personal security makes the information relatable.
Most employees have no interest in awareness training or additional learning materials beyond the scope of their day-to-day jobs. Compliance training especially fosters resistance due to the dry content associated with regulatory materials. That creates a challenging scenario because employees don’t take the particulars of compliance home with them. But if you spin the training in a way that reaches them on a personal level, they might grasp the information better and take training seriously.
The ransomware attack that hit a hospital in California a few years ago serves as a perfect lesson. Ask your end users how such an attack could impact them. What if they were at the hospital in question? Or a loved one was? Suddenly, the attack takes on personal meaning, and the concept of “thinking before clicking” is much more relatable.
Apply that same process to HIPAA (for example). We all need doctors and hospitals. We all must provide personally identifiable information to these entities in order to acquire services. And we all want that PII to stay 100% confidential. Because if our PII lands in the wrong hands, we become candidates for identity theft. By presenting otherwise mundane training materials with a personal perspective, your end users will be much more likely to relate to the information, and therefore retain the information.
Personal security creates 24/7 security awareness.
While most people have no interest in “taking their work home,” encouraging employees to apply your organization’s security awareness concepts to their households can only strengthen your resilience to cybercrime. Generic security actions like creating strong and unique passwords for every account and device, using VPNs on public WiFi, identifying phishing scams, and utilizing common sense, apply to every element of your employees’ lives. For help with setting up a home security policy, follow these seven steps.
If they embrace those concepts and prioritize security at home, your organization effectively creates human firewalls that are active around the clock. This further insulates your organization from additional cyberattacks that could arise should one of your employees’ personal devices get hacked (which could have access to business email accounts and other pertinent info, if your policy allows it).
Personal security improves the overall culture of your organization.
The entire goal of awareness training is not just to teach your employees about the risks your organization faces, but also to make security awareness second nature. By emphasizing personal security in your training materials, you arm your end users with info to protect themselves and their families, no matter where they go or what they do. When they’re shopping online, for example, they might recall your organization’s warning to ensure the website is legit and to never give out personal information unless 100% confident the recipient is trustworthy.
Once that thought process becomes the default, overall decision making improves. Your employees develop a habit of awareness, such that any requests for sensitive data are met with immediate skepticism, any unknown persons are addressed per policy, and all security events are reported ASAP. In essence, your organization’s culture improves almost organically, because you presented your training program in a manner that empowers your employees and prioritizes their security.
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019