Quick Links

Your entire staff is on the front line when it comes to cybersecurity. They're the ones manning the ramparts, so it's vital they are able and willing. They need knowledge, you need their buy-in.

Your workforce doesn't stand alone, of course. You'll identify and invest in the appropriate technologies, both hardware and software, according to your organization's threat assessment and its appetite for risk. You'll implement the appropriate policies and procedures to provide governance, control, and guidance.

Of course, the implementation and maintenance of those measures depend on your staff, and your staff are also the day-to-day users of your IT systems. So whether those systems are being designed, installed, maintained, or used, it always comes down to people. You can't remove the human factor.

That's why it is essential that every computer user in your organization is supportive of what you're trying to achieve, they understand why you're doing it, and how it affects them. It means they have to understand what they must and must not do, and---more importantly---appreciate why.

Your defenses are only ever as strong as your weakest staff member. Weakest might mean they don't understand, and so they make a mistake. It might mean they don't subscribe to the whole cybersecurity deal and see it as yet another burden foisted upon them---more red tape and responsibility. So they either ignore it, or they cut corners and knowingly break the rules.

All chains have a weakest link. But the weakest link in a premium-grade chain is likely to be stronger than all the links in a poor-quality chain. Why are your staff the weakest link in your cybersecurity?

Because you haven't turned them into your greatest security asset.

The Holy Grail of Staff Buy-In

The holy grail is a security-minded workforce that follows best practices, uses informed common sense, and is diligent but not paranoid. Getting anywhere near that can feel like the very definition of an uphill struggle.

People don't like change. There will be push back. What can you do? Repeated nagging eventually becomes background noise. Adopting a punitive approach, or linking minor transgressions to a disciplinary procedure, will alienate people at best and at worst might drive them to down tools.

But it is inescapable. If your organization is going to be protected from cybercrime, you need everyone to be pulling in the same direction, and doing so willingly.

These eight points will help you chart a path towards staff buy-in.

One: Share Information

Nobody is trying to say cybersecurity is simple. On the contrary, it can be complex. But don't keep your workforce in the dark. You don't need to give them a blow-by-blow account of the technical reasons why you chose a particular approach. But tell them what the threats are. Impress upon them that these threats are real and potentially catastrophic. Explain what the organization has done to counter the threats, and detail what is expected from them.

Do your employees understand they play a vital role in security, and they have a responsibility when they use the organization's IT services? It's exactly the same as if they have the use of a company car. They must use it properly---in accordance with the rules of the road---and treat it with respect. They are responsible for it while they're using it. The same goes for your network and your data. And if your organization is hit by ransomware and is unable to trade, everyone suffers.

If you're not comfortable with the subject matter, consider outsourcing it to a specialist firm. Bringing in outside expertise demonstrates your commitment to cybersecurity and the seriousness you place on doing the right thing the right way. It also gives you the chance to benefit from an independent viewpoint.

Two: Business Data Includes Personal Data

When people are busy, they are focused on what they need to do to finish the task they're working on. It's hard to worry about the bigger picture when you're on the death-march towards a deadline. But if something affects them personally, they will hold that in mind.

Your organization holds personal data on each and every employee, so it's not just company data that is at stake. Cybercriminals are just as interested in the personal data of the workforce, as they are with company information.

An employee's personal data is protected by the measures that are put in place by the organization and the willingness of their colleagues to follow procedures. They must each have one another's backs.

Three: Show There Are No Exceptions

Everybody needs cybersecurity awareness training, and everyone must adhere to the policies and procedures. You cannot have a ground shift or a culture change if it only applies to certain departments or teams, or if some senior levels think they're exempt.

Likewise, everyone in the organization must go through the same policy introduction and procedure roll-out processes. Knowing that the top tiers are subject to the same IT and security governance will level the playing field in the eyes of the workforce. And the c-suite needs to know what the workforce's training consists of. They need to know it is effective, well-delivered, pertinent, and covers everyone---including themselves.

Consider having a short test at the end of the sessions, before the final questions and answers. Not only will this catch the attention of the audience, but it will also provide some metrics on the scores. If a particular section is generally a low-scoring section that area of the session may require some rework to get the message across.

Four: Create Accessible Policies and Procedures

You can't expect people to behave in the right way if you don't make it clear what's acceptable in the first place. So, policy documents must be written to clearly communicate what is required from all personnel. Clear, straightforward, and plainly worded documents are best. Don't try to make them impressive, strive to make them accessible and unambiguous.

Typically, you will require documents that interwork to deliver an overarching IT Governance framework, including a security policy, an IT incident procedure, a data breach procedure, an acceptable use policy, a password policy, and possibly procedures and documents to satisfy local legislation, such as the General Data Protection Regulations (GDPR) or the Californian Consumer Privacy Act (CCPA). Your documents may have different names, but they must address these topics.

There will be many more operational procedures that control activities, such as security patch roll-outs; backup schedules including testing; and new starter, role changes, and leaver procedures. These are team- and department-specific. If you're not in IT, you won't be preparing accounts for new users, but every new user or role change must be created according to the procedure.

Five: It Starts on Day One

New starters will undergo an induction process. As part of that induction, data protection and cybersecurity must be addressed. This is your chance to impress upon fresh and enthusiastic employees that this is how you do it here. Don't give them time to pick up bad habits, and take the opportunity to weed out any bad habits they bring with them.

Don't rip through it as fast as possible. It isn't a box-ticking exercise. Cutting corners here will make your new starter think that this stuff isn't important; it's just paperwork. But done well, this brings your new starter into the fold with the right attitude.

You might be able to open it to a wider audience and use it as a cybersecurity awareness refresher for those who haven't had a top-up recently. Having more people in the room than just the new starters reinforces that cybersecurity is not something that is mentioned in the first week of employment and then ignored.

Get them to sign that they understand what is required of them and that they will comply with your policies.

Six: Make It Regular

Keep a record of cybersecurity staff awareness training, and ensure everybody is cycled through it. Then repeat it, at an absolute minimum, annually.

Make data protection and cybersecurity a standing agenda item at management and board meetings. It's not an add-on to IT, it's a separate set of measures that address risks. Just like you have sprinklers, fire drills, and fire insurance to mitigate fire risks, you need measures to address cyber threats. Review whether your defenses are still appropriate and effective, and review and debrief any security or data protection incidents.

Schedule and enact dry runs of your breach handling and security incidents procedures. You don't wait until the ship has a hole to rehearse your lifeboat plan. Create a fictional incident, and let your teams treat it as though it were real. Then close any shortfalls the dry run revealed.

Seven: Pick the Low-Hanging Fruit

Make the first steps the simple ones. They'll still have a big impact in raising your cybersecurity bar, and will get employees used to incorporating security-centric activities into their routines.

  • Don't let anyone share passwords.
  • Don't let any third parties access your corporate Wi-Fi. Have a guest Wi-Fi network that goes straight to the internet. They don't need to be on your network; they just need to get their email. You might not even have to buy equipment to do it, your current hardware might support this already.
  • All passwords must be unique, and must not be passwords already used elsewhere.
  • Set password complexity rules and enforce them.
  • If people have too many passwords to remember, select and promote a company-sanctioned password manager.
  • Use two-factor authentication whenever is possible.
  • Provide training in identifying phishing, spear phishing, and other email-borne threats.
  • Provide training to help staff detect and avoid social engineering.
  • Ensure all operating systems and applications are within the manufacturers' support lifecycle.
  • Apply all security patches to servers and computers, and also on network devices like routers, switches, and firewalls.
  • Implement secure disposal of retired IT equipment, and obtain certificates of data cleansing.

Once a basic framework is in place, the more complex layers will have a foundation on which to sit.

Eight: Measure and Report

Build good cybersecurity practices into your staff appraisal or performance review programs.

Collate and present statistics on a workforce-facing dashboard.

Provide an easy way to report issues, and encourage staff to identify suspected vulnerabilities in your system. A small monthly prize for someone who spots a potential security risk, or proposes an improvement, is a good way to get people engaged.

Periodically conduct staff-susceptibility testing. Benign phishing attacks and USB drops are a good way to identify staff who need to have their training topped up, or that a procedure needs to be updated, clarified, or reinforced.

Remember to report on the most improved department, so that when the tailenders move up the ranking, they get recognition. If you don't want to rank departments in a league-table way, use their scores to move them into regions on a traffic light system. Everyone should aim to be in the green.

Also report on steps that the organization has conducted, such as the number of days since the last penetration test, the number of issues that were identified, and how many of those issues have been addressed. That way you're representing a snapshot of the joint efforts of the organization and your staff.