How to Keep Employees Accountable in Following Cybersecurity Basics

12 months ago

Your organization may have access to sophisticated technologies designed to improve security and a robust documented cybersecurity strategy that everyone needs to follow. But none of these assets is going to matter if some of your employees are negligent enough to allow a data breach to occur; all it takes is one weak link to crash your delicate security systems to the ground.

Hopefully, you already have policies in place to guide employees in all departments on best practices for cybersecurity. You may even have education and training systems in place to provide employees with the knowledge they need to succeed.

But how do you keep employees accountable and make sure they follow these protocols?

Teach and Coach One-on-One

It’s easier and less expensive to train and educate your staff members as a group, but it’s usually more effective to take a one-on-one approach. This way, you can provide education and training in the way that the individual best prefers, and you can simultaneously evaluate whether the person understands and appreciates what’s being taught to them.

For example, if you’re teaching someone about the importance of proper password management, you can ask them for examples of strong and weak passwords in real-time. If they struggle to understand this concept, you can work with them until they demonstrate greater understanding.

Limit Employee Control

Next, minimize risks by limiting employee control. It’s powerful to keep employees accountable, but it’s even more powerful to take things out of employee control altogether. Instead of creating systems that prevent employees from making bad decisions, you’ll effectively be making those bad decisions impossible.

An example of this is segmenting and limiting user access in important platforms and pieces of software. If an employee can’t access something, lost credentials carry less weight.

You can also issue mandates and handle certain security measures automatically, preventing employees from having a say in the matter. For example, you can make software updates automatic for all employees, preventing employees from ever getting the opportunity to delay an update.

Create Tests

You can keep employees accountable by testing them as well. After providing employees with education or training on cybersecurity topics, give them a short quiz, asking them to recap some of the most important takeaways. If anyone fails to acknowledge even the most basic tenets of cybersecurity, they may require retraining.

You can also use penetration testing to see how employees perform in real-life situations. Depending on the extent of your testing regimen, this could include fake phishing emails, social engineering attempts, and more. If employees fail this test, you’ll have an opportunity to reeducate them.

Promote a Security Conscious Culture

People are going to take their responsibilities much more seriously if you promote a security conscious culture. In other words, everyone in your organization needs to take security seriously and do so in an explicit and social manner. Organizational cultures tend to flow from the top down, so make sure all your leaders and managers are on the same page about emphasizing the importance of cybersecurity.

Reward Correct Behaviors

Accountability is often best manifested in the form of incentives. If you offer rewards to your employees for valuable cybersecurity behaviors, they’ll be much more likely to engage in those behaviors. You can keep track of certain security best practices with a points system, or offer special improvised rewards for employees who demonstrate excellence in specific areas.

For example, let’s say an employee receives a phishing email. Responding to an email like this is a security risk, so it’s an event that would grant negative points. Simply not responding to the email is a neutral action, but an even better action would be flagging and reporting the email. You can offer positive points or other rewards for employees who take this course of action.

Hold People Accountable for Problematic Behaviors

On the other end of the spectrum, it’s important to hold people accountable for problematic behaviors that increase security risks unnecessarily. In some cases, this is simply a learning opportunity, but in other cases, it may require disciplinary action. Employees who repeatedly neglect cybersecurity standards should be put on notice, and if their behavior fails to improve, they should be terminated.

Avoid Creating an Environment of Fear

That said, it’s also important to avoid creating an environment of fear. People should openly understand, respect, and voluntarily act on the best practices for cybersecurity, rather than only complying because they’re afraid of getting fired.

The good news is that the most important strategies for keeping your organization secure are simple and easy to follow, even if you don’t have technical experience. As long as you’re willing to educate your employees, and hold them accountable to their training, you’ll be in a much more secure position.

Leave a Reply