If you ask any infosec expert what causes most incidents, the answer will almost certainly be the human factor. Most attacks on companies succeed because of employees\u2019 inattention, ignorance and mistakes. At the same time, the human factor is the hardest threat to eliminate, because you\u2019re dealing not with obedient information systems, but living, breathing people.<\/p>\n
Our tips often include communicating some information to employees. But this is easier said than done. So today, we\u2019ll talk about how to get employees to take cybersecurity more seriously and heed the advice of security specialists.<\/p>\n
The problem is that cybersecurity isn\u2019t a priority issue for most company staff. They have their own job to do, and may simply not have the time for what they see as secondary matters. Therefore, it\u2019s important to realize and accept two facts.<\/p>\n
First: for a typical employee, information security is a secondary issue. So don\u2019t expect an email about the dangers of reusing passwords to cause an avalanche of password changes, or a memo about downloading dubious attachments to stop the practice dead in its tracks.<\/p>\n
Second: be aware that employees for whom cybersecurity is not at the forefront of their mind might not (or probably won\u2019t) understand what you\u2019re talking about. For a security pro, phrases like \u201ctargeted attack using spear phishing\u201d don\u2019t contain any complex information. But to the regular employee in sales, accounts or logistics, you might as well be speaking Klingon.<\/p>\n
These two facts together often lead infosec experts to the conclusion that the task is unsolvable, so they give up and limit themselves to security measures that relate solely to hardware and software. But this is of course not just wrong but dangerous. The question arises: how to get through to employees?<\/p>\n
The good news is that your company most likely already has all the ingredients in place to establish good communications about information security. You probably have security experts who understand threats and how to stop them. And you likely have communication experts \u2014 usually found in HR or, even better, in the internal communications department (if you have one).<\/p>\n
Be prepared that at first it won\u2019t be easy: such experts are unlikely to be well-versed in cybersecurity, and probably won\u2019t be burning with desire to delve into the details. But don\u2019t give up: you need to find among them the most suitable candidate for, so to speak, evangelism.<\/p>\n
Ideally, it should be an already tech-savvy person. If there\u2019s no one in-house, try hiring a new employee who knows internal communications and has a technical background. Such people are rare, but you may get lucky.<\/p>\n
When you find them, first, upgrade their cybersecurity skills \u2014 teach them to look at the world through the prism of information security. Our interactive Kaspersky Automated Security Awareness Platform<\/a> is just what you need \u2014 it even provides a free trial training.<\/p>\n The essential ingredient of the entire undertaking is trust. IT guys in general, and infosec pros in particular, are notoriously control freaks. So here they\u2019ll have to tame their instincts and let the communication experts do their job where it relates to communication with employees.<\/p>\n The internal communications department (if none exists, then HR) will usually have a good idea of which employees do what and how. Therefore, if you outline the general range of threats in a way that your counterpart can understand, they should be able to develop the appropriate communications strategy \u2014 that is, determine what risks certain departments are exposed to, and what to explain to employees in specific fields as a priority.<\/p>\n Another useful thing that you and your new ally can do is to create an easy-to-read information security guide for new employees<\/a>.<\/p>\nWhere to start<\/h2>\n