The Importance of Employees in Cybersecurity Strategy

Earlier this week we released Why People Are Your Best Defence Against a Cyberattack, the latest episode in Get IT: Cybersecurity insights for the foreseeable future, which is about the importance of employees in cybersecurity strategy. This six-part series brings cybersecurity experts from CDW and Cisco together to discuss trends and hot topics in the security space.

In Episode two, Julius Azarcon, national leader of cybersecurity services at CDW, and Rola Dagher, president and CEO of Cisco Systems Canada, examine the crucial role employees play in an organization's cybersecurity strategy. Highlights of today's discussion include the role of culture, how to develop good cybersecurity habits within an organization and how the right people and talent can help the cybersecurity industry get ahead of technical threats. Here are some of the topics they tackle in episode two.

Employees can make or break your cybersecuritystrategy

Employees should be a central component of anycybersecurity strategy and play a critical role that is often underappreciated.As your frontline, they are both the best defense in preventing a data breachand the primary liability in enabling hackers to take control of an organization'sinfrastructure and network. Properly training your employees on how to identifythreats allows your organization to mitigate these issues and minimize thelikelihood of infiltration. It behooves organizational leaders to be keydrivers in this, as you need to ensure your people are provided with the righttechnology and processes to prevent any issues.

An organization's security should be recognized as abusiness issue. People are the most important piece to solving this issue, andthe vulnerability of indifference is a key concern. Organizations can only havestrong and robust security protocols if employees are actively engaged andunderstand the value of cybersecurity. It's important to remember that hackersonly need to be right once to have a lasting impact on your organization andstakeholders, whereas you need to be right 100 percent of the time.

Establishing a culture of trust

If employees don't feel inspired or empowered in theirday-to-day roles, it's likely that they won't take the cyberthreats yourorganization faces seriously. The desire to help their employer beyond theirdaily tasks is fostered by having a strong workplace culture. Without culture,there is no soul; establishing trust, transparency and constant learning as thefoundation of your organization's culture can go a long way to engenderingfeelings of organizational pride and openness to training.

Making cybersecurity training a positive experience

It's crucial that cybersecurity training be a part of yourteam's regular professional development sessions. It's equally important thatthe content be relevant and personal for the intended audience. Should thetraining sessions not translate to your team's day-to-day, the message andskill development won't resonate. Additionally, the sessions need to be apositive experience. The importance of not blaming and shaming your employeescan't be overstated; employees deserve to operate in an environment ofencouragement where they feel able to step forward and speak up withoutrecourse if they find a weak point.

Cybersecurity training should be fun. One great way toaccomplish this is through gamification. Crafting your training aroundcompetition and reward is a great way to keep employees engaged and make thesessions more dynamic for everyone involved. One example of this tactic isthrough a points system, where the employee with the highest score at the endof the session is given a reward. Another is through controlled setting wargames, where your trainees are put in two different groups with multidisciplinarymembers of your organization in a mock network infiltration scenario. Getcreative with gamification; not only does this strategy help your team developa greater understanding of cybersecurity, but it also builds camaraderie andculture in your organization.

Training and awareness in today's remote landscape

While it's important for organizations to allow theiremployees to be flexible given the current work from home environment, it'sequally important that employees are aware of the increased cyberthreats. Ourpersonal and professional lives have blended as staff are simultaneouslyplaying the roles of employee, parent, educator and counselor. Organizationsneed to simply and concisely convey best practices that employees can easilyaction to secure their home network, helping to minimize the risk of cyberincidents in our new remote reality think principles versus technicaldetails. Actionable best practices and effective low-hanging fruit includechanging default passwords, creating strong passwords or passphrases, managing Wi-Finetwork access and ensuring personal devices are up to date with the latestsoftware.

When looking to your organization's management, it'simportant that they clearly and succinctly share these steps to encourage bestpractices in and away from the workplace. Remember that data breaches do happen,and it's typically upper management who must face the reputational andemployment fall-out. Follow through and best cybersecurity practicesimplementation are essential at all levels, but good habits are important todevelop from the top down. It shouldn't take a pandemic for your organizationto realize how important technology and cybersecurity education is to abusiness. If one part of your organization is at risk, then the entireoperation and likely management jobs are equally vulnerable.

Where do organizations go from here?

It's clear that cybersecurity threats facingorganizations are increasing in frequency and sophistication. Organizations, inparticular senior management, must recognize the prevalence, inevitability anddire consequences of today's threat landscape and take the necessary steps toprevent becoming the next headline. You need to take a holistic look at yourorganization and ensure that the entire ecosystem is secure. Instilling the zero-trustsecurity concept in your employees will reinforce the idea that a bad actorcould try to take advantage of any vulnerability however small and causeirreparable damage to your organization's network and reputation. Organizationsneed to prepare for the current and future environment, defend yourinfrastructure and respond to incoming threats by remembering theprocesses instilled in employee training. Having more open environments whereworkplace culture is the North Star will help.

Today, we're seeing a fundamental shift in howorganizations must operate and protect themselves. Whether it be developing aculture of trust, providing sufficient training or ensuring employees are preparedto be responsible digital citizens at and away from the workplace, it'sessential that your frontline staff be at the center of your cybersecuritystrategy now more so than ever.

For more insights on employees' role in cybersecurity, listen to episode 2 now.