You can just see the eye-rolls across the conference table when you bring it up.
It may not be tops on the list of things you want to address at a staff meeting, but cybersecurity is an issue that likely effects every one of your employees, everyday, and if you’re delegating it to one person at the back of the IT department, you’re making a big mistake.
“Security in the digital world is similar to security in your personal life,” says Art Gilliland, General Manager of Enterprise Security Products at HP. ”Our lives are becoming more and more digital, and crime is just following that pathway.”
But most people have yet to consider their digital safety–and that of those around them–the way they do their personal safety, says Gilliland, noting that while you’d never walk through a dangerous area at night or leave your wallet lying around in a public space, you’ve almost definitely clicked on a link that didn’t seem totally safe or downloaded something from an unknown source. (And you probably did it without a second thought.)
Asking people to change their passwords every three months is not enough anymore. With a few straightforward recommendations, you can make cybersecurity make sense to your staff, and, according to Gilliland, help them “start to protect themselves digitally like they do with door locks, car alarms, and rules that have been ingrained in us about physical danger.”
Talk to your staff about cybersecurity the same way you would about workplace safety–and make it personal.
Gilliland encourages managers to take cues from industries like manufacturing and construction that confront safety issues on a daily basis and train and inform their workers accordingly. He recommends using stories that help employees understand the very real significance of cyber threats, citing the example of a California-based construction company that used discussions of how family members’ lives are damaged by an employee’s injury to reduce workplace accidents.
For example, he says, “checking in” at a restaurant on social media while you’re traveling for work, or sharing photos while you’re still on vacation creates vulnerabilities that can be easily exploited. Highlighting the potential hazards of these common behaviors can help employees gain the personal perspective that will prompt them to think twice.
Don’t underestimate the power of a teachable moment, and don’t let the moment get away.
IT departments in most companies will perform period “penetration tests,” attempting to break into their own company digitally and exploit vulnerabilities in order to better understand where problems exist. A powerful tool, according to Gilliland, can be speaking with employees immediately if their computers are found to be at risk due to their actions, instead of just discussing the issue in general terms with the staff at a later time.
“Educate at that moment. It can be private, but it’s very powerful at the time of failure.”
Make it crystal clear: ‘Your work computer is actually trying to help you do your job.’
“Computers are pretty good at warning you now when something is dangerous,” says Gilliland, referencing the “The certifications on this website is not current” pop-up message with which most professionals are familiar. “‘Do you want to do this? OK or no?’ Most people hit the ‘OK’ button because they want to get on with it. Computers are pretty good at stopping us, but you have to listen to them.”
Make sure employees understand your company’s security parameters, and educate them in some of the most common messages they may receive from your own network or online. That way, they’ll understand how to respond appropriately.
The tendency, says Gilliland, is to think, “‘Why is the computer bothering me? Why is it stopping me from getting my job done?’ It’s trying to protect you.”
Mobile devices let your employees work from everywhere. And increase the potential for threats.
An employee’s mobile device is often where the personal and professional digital worlds collide with the most force, and Gilliland recommends keeping the guidelines about mobile short and sweet. Mobile devices don’t yet have the same protections as desktop or laptop computers, so caution employees about what they access on their smartphones.
Advise paying particular attention to the information employees provide to apps, an overwhelming number of which come with serious vulnerabilities baked in. Candy Crush and 2048 really don’t need to know anything about you–or your company.
“Be sensitive about what you download and understand the preferences you allow the apps to have. There’s no reason for a game to have access to all your contacts or, typically, to know your location.”
Yes, your employees are treating their work computer as a digital home-away-from-home. Don’t fight it.
As the lines between home and work become increasingly blurry, so do the parameters for what’s appropriate work computer behavior (From a security perspective. Behavior that’s workplace inappropriate is still pretty easy to identify.) Is visiting your online banking profile acceptable? What about typing your personal credit card information into an airline website, or viewing a friend’s photos?
But expecting your employees never, for example, to pay a bill online from their work computer is silly–and might actually be counterproductive.
“It’s not realistic to expect people to segment that significantly,” says Gilliland. “That kind of behavior is possible, but it’s not likely for most of us.”
Instead, he recommends sticking to a simple, brief set of directives and digital behaviors for employees to be more thoughtful about.
“What we have to do as companies is realize there’s a practicality to the security we need. If we give people too many things to worry about they won’t do any of them.”
Make sure those in leadership not only prioritize cybersecurity but also model the behaviors recommended to employees.
Digital threats, says Gilliland, are still often viewed as the work of isolated individuals, as opposed to the work of a skilled and growing industry. Educating those in leadership so that they can communicate effectively and model positive behaviors isn’t just a best practice, it’s crucial to the security of your employees and your company’s reputation.
“What they’re fighting is an ecosystem that invests in breaking in. That reality–crime chasing our digital lives–that criminal market place is going to continue. You’re not going to stop it all, but it’s got to be part of the agenda.”