Building a Cybersecurity Culture of Awareness – Empowering Employees as Your First Line of Defense

In the first article of this three-part series, we discussed the challenges faced by overextended IT departments. However, even the most well-structured IT team cannot defend against cyber threats alone. A robust cybersecurity strategy requires the active involvement of every employee, making it essential to build a culture of cybersecurity throughout the organization.

The Weakest Link: Human Error in Cybersecurity

Human error is a significant factor in cybersecurity breaches, with IBM estimating that 95% of breaches are caused by mistakes made by individuals. This statistic underscores the importance of engaging employees in cybersecurity practices and ensuring that they understand the impact of their actions on the organization’s security.

Common symptoms of a lack of security awareness include:

• Ignoring IT Security Advisories: Employees often overlook these advisories because they are perceived as too technical or irrelevant. This disconnect can lead to poor security practices and increased vulnerability to attacks.
• Disengagement from Training: Many employees treat cybersecurity training as a formality, often running modules in the background while focusing on other tasks. This lack of engagement means that employees may not fully grasp the importance of the security measures they are being asked to follow.

Making Cybersecurity Relatable and Engaging

To overcome these challenges, organizations must make cybersecurity relatable and engaging. Simplifying communication and focusing on the personal and professional benefits of cybersecurity can help bridge the gap between IT and non-technical employees.

Effective communication strategies include:

• Simplified Messaging: Avoid jargon and emphasize how following cybersecurity protocols benefits employees personally and professionally. For example, rather than delving into technical explanations, highlight how these protocols protect their personal data and contribute to the organization’s overall security.
• Interactive Training Programs: Traditional training modules are often long and technical, which can lead to disengagement. Instead, consider using short, interactive content like videos or infographics that are easy to understand and retain.
• Use of “Netflix-style” video series that integrates cybersecurity lessons into an engaging storyline: This method not only captures employees’ attention but also improves retention of critical information. Organizations that have implemented such training have seen higher viewership, engagement, and better outcomes particularly on phishing test results. We observed as well that employees look forward to the next episodes of these video series, which are only released on a monthly basis.

Integrating Cybersecurity into Daily Operations

To truly build a cybersecurity culture, it is important to integrate cybersecurity practices into the daily operations of the organization. This means providing continuous, bite-sized training sessions that keep cybersecurity top of mind, rather than relying on annual training that quickly fades from memory.

Collaboration between departments, such as Knowledge Management, Marketing, and IT, can create materials that are both informative and visually appealing, making it easier for employees to engage with and understand cybersecurity messages. IT cannot do this alone.

Why This Matters for FinTech, BPO, Healthcare, and SMEs:

In industries where data protection and regulatory compliance are critical or in the case of SMEs, have no capability to create such cybersecurity training programs, such as our Firm’s Vigil@nt Training Program that offers ready-made videos about cybersecurity to help them build a strong cybersecurity awareness. This would ensure that every employee understands and follows cybersecurity practices is essential, and reduces the risk of human error and enhancing your overall security posture.

In the final part of our three-part series, we will explore the critical role that leadership plays in driving a cybersecurity culture. Learn how senior management can set the tone for security practices across the organization and why their involvement is key to a successful cybersecurity strategy.

As published in The Manila Times, dated 23 October 2024