The best front-line security starts with humans.
Keeping your company safe, starts at the human level. Businesses need to go beyond simple password security and other protocols. The best way to train employees to defend against hackers is to get them thinking like one.
A recent Harvard Business Review Article recommends you throw out everything you’ve heard about hackers by the media and the entertainment industry because it’s too narrow a view used to portray cybercriminals.
Instead, you’d be better served to look at hackers as good people who are creative, persistent, and resourceful.
If your son or daughter has attended coding camp, then they’ve taken the first step to hacking. Hackers think in digital terms with curiosity, persistence, problem-solving, and resourcefulness to figure out the ins and outs of technology. They also understand its limitations and understand every software can have vulnerabilities and that a healthy mistrust of systems is important. Hackers are always on the lookout for vulnerabilities, which is the point of this exercise.
Here are a few ideas, beyond the security training and protocol you’ve established (let’s hope you’ve established), HBR suggests the following:
Hold a hackathon.
Encourage employees to examine your business computing operations to identify vulnerabilities. Everyone should participate from the receptionist to the C-Suite. Often less formally trained employees will ask questions others may make assumptions about.
This also helps avoid tunnel vision and groupthink and gets them thinking creatively about security. Gamify the whole program with prizes for the best creativity around cyber hygiene, best practices, and protocols.
Come up with a fictitious incident and ask employees how they would react to the situation to determine if excellent communication and ideas are in play. Security awareness training and phishing simulations go hand in hand. Phishing has become very sophisticated and almost undetectable, as criminals have found ways to make their emails as realistic as possible. Have teams rank emails on their level of believability and present their conclusions to one another to support their evidence. Phishing simulations test employees on how they would respond to a real-life phishing attack.
Put people from different departments on the same team, so they start thinking strategically by coming from the viewpoint of their various job focus.
Even if you have a top-notch security team in place, bringing in outsiders can help because when the same people are looking at the same codebase or dashboard every day, it’s only a matter of time before something important gets overlooked.
When cross-company teams are set to an exercise like this, it helps build community and a shared purpose, which, according to the author, are robust defenses when it comes to cybersecurity. A check-the-box approach to training is not sufficient. Neither is overwhelming staff with technical information with the hopes of ensuring long term retention and participation. The trick, according to PrivSec Report, is to improve engagement using methods grounded in behavioural science to change behaviour. Simply imparting information from the company to the employee doesn’t ensure that the information has been taken on board or that it will be acted upon.