If you’ve always assumed employees have a solid grasp of cyber security best practices, this news may be unsettling.
Only 51 percent of North American and European information workers report being aware of or understanding their company’s data use and handling policies, according to Forrester Research. The statistic was virtually the same in 2012 – meaning we’re not improving.
Just as surprising: IBM’s 2015 Cyber Intelligence Index found that more than half of data breaches are caused by insiders. The incidents are overwhelmingly accidental, with no malicious intent. An employee might fall for a phishing scam or simply mishandle sensitive data.
What Are Cyber Security Awareness Campaigns?
Awareness campaigns are step one in the ongoing process of educating employees about cyber security. According to the National Institute of Standards and Technology, the purpose is simply to focus attention on security by delivering information through posters, articles, rewards programs and short learning sessions.
Training is the second step, and this is where participation moves from optional to obligatory. Beyond just general awareness, training offers specific, finite knowledge and provides actionable steps.
Like any business initiative, launching a cyber security awareness campaign has rewards and drawbacks. The benefits outweigh the pitfalls, but you’ll have the most success if you understand the pros and cons before getting started.
PRO: Attacks the Most Common Threat
When most people think of data breaches, they imagine a group of evil hackers in a far away land. The reality, as we’ve said, is that your own employees are more likely to cause a breach than outsiders.
You can buy the best security software your budget allows and hire the industry’s top security consultants – and you should – but if you’re not making employees aware of the risks and how to avoid them, your cyber security plan is far from complete.
Cyber security is not just an issue for the IT department. Every employee should be educated on your company’s data use policies, cyber attack prevention strategies and how to spot scams in order to reduce staff errors – your single largest risk factor.
Awareness doesn’t always translate to changes in behavior – at least not right away. Because old habits are hard to break, real change requires ongoing education, hands-on training, setting measurable objectives and offering rewards when goals are met.
The good news? Some of the greatest barriers to change are entirely preventable. Create an awareness campaign that is easy to understand and free of confusing technical language. Craft policies that are enforceable, not open-ended. And keep in mind that education should be frequent and ongoing, not a one-time event. You’re creating a culture that embraces cyber security, and that doesn’t happen overnight.
PRO: Long-Term Cost Savings
We’ve all heard the saying, “an ounce of prevention…” Cliche as it may be, the adage rings true for cyber security campaigns. The money you spend now on awareness campaigns will undoubtedly be far less than what you would spend mitigating and recovering from a major data breach.
Awareness campaigns are also highly scalable, so you can start small and expand the program as your budget allows. Begin with something as simple as hanging posters around the office with tips and best practices, then progress to email newsletters, blog posts, daily tip sheets and online training courses.
Don’t be afraid to tap your own marketing folks for this work, particularly if you can’t afford an outside consultant. The marketing team can access vast online resources offered by government agencies, nonprofits and security vendors.
CON: Time and Resources Required
As you’ve gathered by now, cyber security awareness is a marathon, not a sprint. Awareness campaigns must be ongoing to drive home the message and reach new employees. Even if you’re not spending a lot, creating and executing an effective campaign requires significant staff time and resources to create program materials, set goals, organize and execute training sessions, and measure progress.
PRO: Brand Preservation
Cyber security awareness is just good PR. We’re all aware of the devastating financial impacts of a massive data breach – in the worst cases, driving even solid companies out of business. However, a data breach also does significant damage to your brand, eroding customer trust and, most likely, slowing sales. Consider cyber security awareness an investment in the long-term success of your brand.
CON: Information Overload
You have to cut through a lot of noise to reach employees with your message. Work that seems more pressing and time-sensitive is thrown their way. Cyber security news and advertisements compete with your information for head space. Even outside of work, you’re up against the plethora of distractions that make up our digital world – texts, emails, blogs, social posts and more.
To create a campaign that resonates (read: it actually works), your message has to be attention-getting, memorable, convincing and succinct. Guerrilla marketing techniques work well in the early stages to pique interest, and your campaigns should always include not just the what but the why should I care? What’s in it for employees if they adopt best practices? Job security or performance incentives, perhaps?
How Teramind Can Help
Teramind provides affordable security for small businesses looking to monitor employee behavior. The software streamlines employee data collection to identify suspicious activity and detect possible threats.