In a previous blog article, I wrote that in order to have a more effective cybersecurity program you need to implement security awareness. I talked about how security awareness promotes a safe and secure computing environment by educating your employees on good behaviors.
To build off that article I would like to share my thoughts on one way to change the cybersecurity culture in your workplace. That one thing you can do that will greatly improve the culture is to stop punishing employees for mistakes they make. Instead you should start rewarding them for the things they do right.
For too long security teams, IT, and management in organizations have been forcing more training, reprimanding, or terminating employees for being human and making mistakes. One reason they could be making these mistakes is that they were never taught in a way that resonates with them. Everyone has a different way of learning and understanding what they are being taught. If the education you provide is dull and not engaging, they will never learn what the right thing was for them to do. Another reason could be, they want to do the right thing but don't feel that it matters, "I am just one person, how can I make a difference".
Phish or no phish, that is the question...
Another problem is, since it's inception e-mail has been the communication tool of choice for businesses. As such, employees have developed habits to perform actions through email in a timely manner and without much thought. Now we want to break those habits and get everyone to slow down, analyze, and think about if it is legitimate or not. When they choose wrong and click the bad links they are forced into more training or punished in some other way.
Next time instead of punishing them when they click the phish test link the first time, you do nothing. You should still gather data and determine ways to make your awareness education more effective. Just don't make clicking the link a first time or second time a big ordeal. Don't put up a huge "You Failed" banner on their screen. Even better reward those that didn’t take the bait. People want to be part of a positive culture. They want the sense that they did the right thing.
Most of the time when someone has done something like being phished or infecting their computer with a virus, they go into CYA mode. This mentality can make it more difficult and time-consuming to remediate. They do this because they fear the repercussions they think they will face once they are found to be the source. If you changed from taking a disciplinary stance to a positive stance, you will likely change the impact of an incident. When the person reports it properly and timely incident response can be more effective. Instead of a widespread infection, it could be contained and instead of days or weeks, it could be minutes or hours. You want your employees reporting threats or when they think they made a mistake. This is achieved with a simple shift in mindset about how you address cybersecurity mistakes.
Don't misunderstand what I am saying, the key word in what I am talking about is a MISTAKE. This is when an employee does something unintentionally, it is an accident and they should not be punished. However, when an employee performs an action with an intent to do harm that causes damage then disciplinary action should be taken. This is malicious and is unacceptable and in most cases it is criminal. The intent and focus of this article is about how to change the way you address the unintentional mistakes.
The saying you catch more flies with honey than vinegar is true for a reason. It is natural to like sweet and positive gestures, as opposed to the sour and nastiness from negativity. Here are a few examples of gestures you could use to change your cybersecurity culture through positive engagement;
Small gift cards for a Starbucks coffee for the person that reports the most potential security threats in a month.
A plaque, trophy, or another physical item that the office "security champion" of the month gets to keep on their desk.
A free lunch to the department with the least number of phishing clicks.
The point is, to effect positive change you have to provide a positive environment. It is human nature for people to want to be part of a culture they feel secure and trust in. They enjoy the feeling of doing something right and being recognized for it. Part of changing behavior is getting people to want to do something instead of feeling like they have to do it.
I challenge you with taking the positive approach. Stop punishing the mistakes and start using positive engagement with employees. I guarantee you will like the results.
If you need assistance building a security awareness program or want more information on how we can help you change the security culture in your organization, reach out to us and schedule a free evaluation.