Every organization dreams of how they’d like to implement cybersecurity. It’s perfect in its execution: requirements would be met or exceeded, employees would be fully educated on security risks, and data would never be threatened by renegade phishing scams or careless user errors. But sadly, faced with time and resource constraints, it can be difficult for busy organizations to do more than just check the “high importance” boxes (like creating a data breach response plan and solid networking practices). Especially if today’s ever-changing security needs are hard to keep up with as it is.
Kathryn Anderson of Backbone Consultants argues that this struggle to maintain and surmount cybersecurity needs is exactly why businesses should find time to implement a security awareness program. As a security advocate with over a decade of industry experience, Anderson is passionate about risk and governance. And through her experience, she gained powerful insights on how to inspire awareness, responsibility, and empowerment in an entire organization.
READ MORE: Introducing Kathryn Anderson of Backbone Consultants
Anderson started pushing for employee awareness in her Senior Information Security Specialist role at a Fortune 500 consumer food company. Her manager had already put some groundwork in place, but she was fully responsible for developing a security awareness program that would impact new employees, near-retirees, and everyone in between.
Why spend so much time on employee education? “It’s a way to get people to care,” Anderson said during a recent interview with us, “and to be empowered.” She believes that security should be a part of employee job responsibilities from the moment they start their first day of work. But more importantly, it should be part of their responsibilities in everyday life—not just when they’re on the clock.
So Anderson used her security awareness program to shift the culture at the consumer food company, starting with a focus on modern cybersecurity risks and scams. “I brought in an email phishing tool. Based on the type of security events we were seeing and the questions I received, it was clear that the opportunity at our company and our highest risk area was phishing emails for employees,” Anderson explained. “What was super cool about the anti-phishing program I created was that it actually empowered our employees. Security became part of their job responsibilities and not just something that a bunch of nerds in the back were working on to keep them safe.”
“Security became part of their job responsibilities and not just something that a bunch of nerds in the back were working on to keep them safe.”
Several great program initiatives kept the momentum going. A fake phishing email sent internally encouraged coworker-to-coworker discussion that filled marketing meetings, finance meetings, and office spaces with excited security chatter. Employees started asking how they could help protect company data during their daily routine and discussing their role in the overall success of the company. It was a huge, and exciting, change from the initial belief that only IT and security were expected to be proactive in keeping data safe.
While Anderson’s work inspired employees to own their part in the consumer food company’s security practices, she also made it a point to talk about the importance of following the same rules at home. “Through the security program, we really focused on how you can help protect your family and keep your personal information safe,” she said. “So one tool that companies can also use is understanding that your employees are holistic beings; they’re not just people who are in the office from 9 to 5.”
The call for organizations to cultivate a vested interest in employee safety is not new. Brad Beatty, Lead Security Engineer at Enterprise Holdings, shared his thoughts on LinkedIn, writing “I had a vested interest in the success of those around me and the company I worked for because I was treated like family. I propose that by empowering employees … those employees will arise to the occasion and not only become your strongest business asset, but your strongest cyber security defense.”
Likewise, Darran Rolls, CTO and CISO at SailPoint, also wrote about employee empowerment: “[Cybersecurity pitfalls don’t] stop with employees. Friends and family are also targets. Because of this, it’s important that employees emphasize the importance of cybersecurity awareness with those closest to them and follow best practices outside of the workplace.”
So, what did the Fortune 500 consumer foods company do? With Anderson leading the initiative, they started having frequent conversations with their employees on how to protect data outside of work. They talked about how to stay protected during tax season, even though it had nothing to do with company data. And by putting time and effort into their employees’ personal lives, employees responded by practicing good security ethics everywhere they went—which ultimately helped lessen the opportunity for user error, both inside and outside of the workplace.
“There’s a lot of synergies between security and personal security. It’s an opportunity for people in my field to reach out and have conversations with everyday people they encounter, like at the library, or at parties. When you start talking about dual authentication at parties, everyone loves you and you’re always welcome back,” Anderson said. “You might even get a second dessert!” she added, laughing.
Are you focused on building a cybersecurity culture for your employees? If not, now is the time. The resources you’ll expend to create a strong security awareness program for your organization will be more than worth the good that follows.