This article first appeared on Peter Purcell's blog, Tech and the Business of Change, on CIO.com.
The most effective safety programs are a result of employee awareness. The more aware, the less likely it is that employees will hurt themselves as they perform day-to-day activities in a dangerous environment. Effective cybersecurity strategies employ the same focus on end-user awareness. IT can only do so much without end users taking responsibility for how they access the internet and respond to emails.
It is relatively easy to set up firewalls, update operating systems and deploy antivirus software. Unfortunately, there is little to stop an employee from clicking on an infected link or incorrectly responding to a phish or spoof without completely disconnecting end users from the internet. Disconnecting from the internet would bring business to a halt. IT has to work with business to plug the vulnerability gap caused by software between the ears. Cybersafety should have no less a focus than any other safety program.
There are three components to an effective worker safety program which can be directly applied to increase employee cybersafety awareness:
All employees should receive mandatory cybersafety training. Just as plant employees are taught to wear safety hats, shoes, and glasses, end users should be taught about strong passwords, safe internet use, and detecting possible phishing or spoofing emails. IT is responsible for developing or acquiring relevant training materials and working with business to ensure training is deployed across the company.
Clearly communicating the importance of training is critical. While OSHA provides a strong external driver for safety training and compliance, there's really no equivalent body enforcing cybersafety. Key business leaders should kick off training sessions with clear emphasis on the importance of cybersafety compliance. Otherwise, end users will ignore what's covered in class by surfing websites they should be avoiding.
Keeping employees engaged throughout training is important. Duplicating the excitement of learning how to use an extinguisher to put out a real fire can be difficult. There are materials that create slot-machine like flashing screens and annoying beeping sounds when a computer is infected with a virus or a phishing link is clicked. Allowing employees hands on experience with these materials ensures the proper level of engagement.
Most plant break rooms have a variety of safety posters on the walls. Entrances highlight how many days the since the last reportable injury. Bathrooms have urine hydration charts to ensure employees know when they need to drink more water. Meetings start with a safety minute that covers a broad range of topics from fire alarm muster areas to brief descriptions of safety violations and subsequent consequences. These constant reminders and materials are intended to keep a high level of employee safety awareness.
IT should work with business to duplicate messaging and materials to keep a high level of cybersafety awareness. The marketing or human resources departments can help develop programs that can be shared across the company. Posters with messages such as, “Don't be a phool, don’t get phished,” or posters that clearly show what a spoof email looks like should be liberally spread in break areas. IT can work with the Health, Safety, and Environment (HSE) department to expand the safety minute to remind end users of cybersafety.
The most important repeated message is the simplest. If anyone has a question about a website, link, or email, contact IT immediately. IT should work with the business to quickly address real or perceived lapses in cybersafety.
Employees will be more diligent about cybersafety if there's a perception of being monitored or tested. IT should develop a series of phish and spoof tests to determine compliance. Clearly communicate the results via emails which no one reads or by postings in break rooms. Increase compliance rates by creating competition between departments to see who has the lowest fail rates.
After the first two or three rounds of tests, companies who are heavily regulated may even start logging failures in HR employee files. Companies with significant liability associated with cybersecurity penetration should consider a direct impact on bonus or overall employee evaluation rankings.
Either way, employees should have a clear understanding they are being monitored and tested. Compliance will quickly follow in this situation.
IT may have difficulty convincing business that a cybersafety program should be treated the same as other HSE programs. However, the risk and liability associated with a cybersecurity breach is high. IT can work with legal counsel to clearly understand the impacts of HIPAA, FISMA, HR1770, and recent Justice Department rulings on a company’s liability associated with a cybersecurity breach. To be compliant, business and IT will have to work together to address the main weakness in any cybersafety program.
