Onboarding Security-Resistant Employees: 10 Strategies for Tough Cases?
Recent cyber attack statistics have created anxiety for businesses of all sizes.
But they’re especially unsettling for smaller businesses because 43 percent of all attacks are aimed at them. Even worse, more than half (55 percent) of these companies faced a cyber attack between May 2015 and May 2016.
So statistically speaking, at least one out of every two small businesses will be hit during any given year.
As a means of protection, more and more organisations are choosing to provide their employees with security education and training. This is smart considering that employee/contractor negligence is the root cause behind 48 percent of all data breaches.
But of course this is often met with resistance.
Let’s face it. Security training can be onerous, especially for those who aren’t technically inclined. But without your team fully being on board, it’s hard to make any tangible progress.
Here are 10 strategies to use for tough cases that should help you overcome resistance and streamline the onboarding process.
1. Ingrain Cyber Security in Your Culture
If you can get everyone in on security as a collective unit, it’s much easier to get each individual to buy in. When an employee sees that their colleagues and managers are security-minded, they’re likely to follow suit.
It’s all about building an internal security culture. But how do you accomplish this?
It usually starts by establishing policies that hold employees accountable for their actions. Some examples include:
- Enforcing password best practices
- Ensuring that employees execute software updates in a timely manner
- Instructing staff on how to report potential threats
Beyond that, you’ll want to get in the habit of routinely discussing cyber security in meetings, company-wide emails, discussion boards, etc. When it’s continually a topic of conversation, it should inevitably become ingrained in your culture.
This brings us to our next point.
2. Make Sure the C-Suite is on Board
It’s not realistic to expect your workforce to buy in if your company leaders haven’t already done so. This type of double standard is practically guaranteed to create friction and will only add to the resistance.
Therefore, getting C-level executives on board is a necessary first step. In fact, it’s smart to have your leaders undergo fairly rigorous cyber security training. Not only will this help protect your organisation, they’ll be equipped to answer many of the questions your employees have.
In other words, practice what you preach.
3. Explain the Prevalence of Cyber Attacks
One of the most common reasons for disregarding security is having an “it won’t happen to me” kind of attitude.
Employees may hear about cyber attacks, but it doesn’t always resonate into them believing that it’s a realistic scenario. But you can usually get them to buy in by painting a picture of the current landscape of cyber criminal activity.
Be sure to focus on the data that applies directly to them so that it really hits home. For instance, you might explain that:
- Cyber criminals tend to seek out SMBs
- The number of attacks have increased dramatically in recent years
- The costs from an attack can be crippling
This list of statistics from ITSP Magazine offers a wealth of data that you could potentially use to provide your employees with a clear perspective.
4. Discuss the Impact an Incident Could Have on Your Business
It’s also vital that employees understand the specific implications that could arise if your company is targeted. You’ll want to cover issues such as downtime, the financial backlash, the blow to your brand reputation, etc.
You may also want to point out the fact that 60 percent of companies go out of business within six months of an attack. So in theory, your employees’ job security is what’s ultimately on the line here.
This isn’t to say that you should result to fear mongering, but it’s important that everyone understands how their personal well being (at least from a financial perspective) is on the line. When you boil it all down, it’s largely a matter of self-preservation.
5. Drive Home a Message of Interconnectedness
Cyber security isn’t something that’s restricted to a small team or department. It’s everyone’s responsibility.
Your employees need to know this and understand the role they play in protecting your company as a whole. For instance, if a single employee falls prey to a spear-phishing attack, it impacts your entire company.
Your goal is to make employees understand that they’re not operating in a vacuum. Instead, everyone within your organisation is interconnected, and you’re really only as strong as your weakest link.
Failing to do their part can potentially have devastating consequences for your entire organisation. Having this knowledge is often the catalyst for team members taking responsibility.
6. Keep it Simple
Let’s be honest. Wrapping your head around complex topics like DDoS attacks, SQL injections and data breaches can be arduous. So it’s understandable why cyber security onboarding is often met with resistance.
Subjecting your staff to long winded, complicated training materials is likely to have a marginal impact. A more effective strategy is to provide materials that are simple and easy to understand.
For instance, visual-centric mediums like brief videos, slideshows and infographics tend to work well and should give your employees an idea of how cyber security concepts apply in a real-world setting.
7. Break it Down for Maximum Digestibility
It’s not realistic to expect an employee to go from a fledgling cyber security novice to an expert overnight.
Putting employees through a gauntlet is only going to overwhelm them and add to their resistance to learn. Instead, you’ll want to break down the training into smaller, more manageable chunks that build off of one another.
In other words, approach it as a gradual process and not a one-off type of deal. Start with the basics, and slowly work your way to more complicated subjects.
This should make it easier for your employees to retain key information and reduce any friction along the way.
8. Use Cyber Security Drills
It’s one thing to learn about a spear-phishing attack in training materials. But it’s another thing entirely to experience it firsthand. This is what really puts your team’s knowledge and skills to use.
That’s why it’s smart to routinely perform cyber security drills to test how adroit your employees are and how well they respond.
For example, you might send out a spoof email asking for sensitive information that employees shouldn’t give out. This will allow you to gauge their understanding of spear-phishing and determine how well they perform.
If team members disregard the email, you should be in good shape. If one or more individuals gives out the information, then additional training is obviously required.
Besides the practical value that these drills provide, you’ll find that many people enjoy this type of hands on learning. In turn, this may make them more receptive.
9. Encourage Feedback
You can bet that employees will have questions, concerns and input throughout the onboarding process. A big part of streamlining things and breaking through the resistance is being open to hearing their feedback and encouraging employees to share it with you.
Maybe they feel that updating their passwords each week is a burdensome task. Or maybe they don’t agree with a particular policy and find that it’s detrimental to their productivity.
Whatever the case may be, try to have an open door policy where they can voice their opinion and give constructive criticism if need be. This is what should ultimately add to your team cohesion and prevent a small rift from turning into a chasm.
10. Offer Rewards
Associative learning and operant conditioning are two areas of psychology that are heavily involved with rewarding good behaviour and are known for getting results.
Establishing a reward system is powerful because it tends to increase positive behaviour and diminish negative behaviour.
Whether it’s offering small gifts or job perks or simply giving praise, this can go a long way and is instrumental in reducing resistance. Sometimes just a bit of incentive like this is all it takes to motivate employees to take security seriously.
At the same time, it’s usually best to empathise with those who make an occasional mistake.
All Hands on Deck
In many cases, employees are the weakest link in your organisation’s cyber security. Often data breaches aren’t the direct result of some diabolical scheme to take down your company. It’s simply due to an oversight from one of your workers.
This is why it’s so critical to provide your team with the proper education and training. Equipping them with the right knowledge is usually your best line of defence.
With that being said, getting everyone on board is easier said than done, and it’s common to encounter resistance. But using the strategies covered here should allow you to diminish or even eliminate this resistance and have your organisation operating like a cohesive, security-minded unit.
Which specific areas of cyber security are your employees most reluctant to learn about? Please let us know about your experience: