With it being National Cyber Security Awareness Month, one of the most important things to think about is whether or not you are practicing good cybersecurity habits at work. Here’s a top ten list of ideas that can help foster a culture of cybersecurity in the workplace:
- Institute quality cybersecurity training. Teach employees cybersecurity policies, procedures and best practices such as managing passwords, how to recognize a breach or attack and respond accordingly, and proper web browsing procedures. If there is a breach, they should know what actions to be taken such as who to contact. Training should be provided for new employees and refresher training should be conducted at least annually for regular employees. Include self-assessment security quizzes to test their knowledge of cybersecurity threats, vulnerabilities and countermeasures.
- Create a dynamic cybersecurity awareness program. These could include cybersecurity posters, newsletters, email reminders, token gifts with security reminders and computer log-on displays. Messages should change at least monthly to keep the information fresh. Include fun and informative events such as cybersecurity fairs, guest speakers and brown bag lunches.
- Gain managerial support. The CEO, other executives and managers need to announce their support and full commitment toward cybersecurity. They should also participate in cybersecurity activities. Employees will recognize that they mean business when it comes to cybersecurity.
- Establish sound cybersecurity policies, procedures, controls and practices. This is a basic requirement for any organization that wants to establish a culture of cybersecurity. If these policies, procedures and controls are weak, outdated and/or impractical, employees will not see the importance of cybersecurity.
- Ensure cybersecurity employee performance. Due to its criticality, the need for cybersecurity should be considered for inclusion in the employee’s performance appraisal to ensure that it will be addressed.
- Certify employee accountability. Require employees sign “acceptable use policy” statements that address requirements for cybersecurity and outline penalties for not complying with these requirements.
- Relate to the employee. Employees often think that they will never be victims of a breach. Share recent cybersecurity breaches that occurred in similar environments so employees can relate to possible attacks. This information can be conveyed through email or newsletters.
- Tie cybersecurity to every business process. Every new and existing standard operating procedure for each business process should be reviewed for possible security breaches and appropriate adjustments be made in a timely manner.
- Establish a cybersecurity community of interest. Have a team of employees who are well versed and/or interested in cybersecurity share information and experiences with each other and the rest of the organization. This can be accomplished through social media if there are adequate security measures.
- Conduct informal security checks on employees. For example, have an outside third party perform social engineering attacks to see how many employees give up their passwords. These will certainly grab the attention of your employees. Of course, employees should not be disciplined for these actions since the security check is meant as an educational experience.
Have anything to add? Post it in the comments and keep the conversation going!
Dr. Les Pang, CISSP, is a Program Chair and Associate Vice Dean in the UMUC Graduate School. Besides several technical classes, he teaches Cyberspace and Cybersecurity (CSEC 610), the first course in the Master of Science in Cybersecurity Degree Program. He is a former professor at the National Defense University where he taught both information security and technology courses. He was the 2004 recipient of the Drazek Teaching Excellence Award, the 2011 United States Distance Learning (USDLA) Faculty Teaching Excellence Award – Platinum, and the 2012 University System of Maryland (USM) Board of Regents Teaching Award.