How to engage employees in security awareness training

Posted by Ragnar Sigurdsson
Find me on:

After about 30 years of companies being connected to networks and the internet and about that long dealing with cybersecurity threats, one thing is absolutely certain: the best way to secure your network and keep your data safe is with aware employees. wrote an article entitled, “Almost 90% of Cyber Attacks are Caused by Human Error or Behavior.” Often, business owners will get great antivirus software and powerful firewalls but forget to plan on the human element in the cybersecurity risks.

Cybersecurity awareness is an effective way to help avoid some of the cyber threats that exist in the world. Since many of them will arrive on a business’s network via email attachments and malicious websites, teaching your staff to know what to look for is an excellent way to reduce your company’s risk.

Why is employee buy-in so important?

We talk a lot about buy-in in almost everything that we do with staff. In every training, we hope to get employees emotionally invested in what we’re doing. The problem is that getting employees to get excited about a new loyalty card or the latest incarnation of a computer program is difficult.

Cyber security awareness can impact every employee, customer, manager, and the company as a whole. Making sure that employees understand that the impact of ignoring cyber security is a great way to lose their data and lose their jobs


Threats to the company and employee jobs

According to Accenture, the average cost of a malware attack on a company is $2.4 million. In fact, most small businesses are out of business within six months after a breach. Larger businesses can suffer permanent reputation damage from a breach of customer data.

It shouldn’t take much to explain to the staff that $2.4 million is a significant portion of salaries. It can mean the difference between a raise and no raise, layoffs, and lack of help, regardless of how busy everyone gets.

In other words, cyber threats are not an abstract concept, but a very real and dangerous threat to the company and to every employee.

Threats to the employees’ data

One threat that most employees don’t think of is their personal data. Every employees’ social security number, their spouses’ and children's social security numbers, their addresses, telephone numbers, emails and more are all on the company’s network.

Their resumes can also be on the company network. Phishing scams on them, their spouses, or their children can all be easily done with the data that is on their resume.

With any luck, all of this will bring home to the staff the idea that cyber security is in their best interests as well as the company’s.

Formatting training for buy-in

The first thing to do to make cybersecurity awareness more interesting for staff is to make the trainings short and entertaining. They need to be informative, but they don’t need to be boring. The classes can take place over several days or even weeks, but nothing is more boring and annoying than an 8-hour class on something that has nothing to do with their jobs.

Make the classes short and focus them on one aspect of security, such as email security, password security, etc. The key is to deliver everything in smaller portions so that everyone can learn what they need to without getting bored.

Another great way to make people aware is to use videos that provide them with learning without even needing to leave their desks. You can confirm that they took the course by having everyone fill out a test or simply using a log-in tracker that tells you who looked at the whole training.

Consider offering a reward for great behaviour. Of course, not all breaches are obvious, but in most cases, it’s easy to tell how a virus or other piece of malware entered the network. Offering everyone a raise might seem a little outrageous, but it will probably cost you less than $2.4 million and millions more recovering the company’s reputation.

Let employees teach the classes or appoint superusers that can deliver security knowledge to their peers. Anything that “comes down from on high” is immediately tainted with boredom and strange policies that have no context. If you have an office full of machinists, it will be easier for a machinist to explain to them the importance of cyber security.

The easiest way to get employee buy-in for cybersecurity awareness.

The short and simple answer is to include them as if their livelihoods depend on it, because they do. If you approach it from the perspective that this is really their concern too, then you’ll be able to speak to them in a way that makes them feel included and not simply lectured at.


Topics: awareness training