When the topic is cybersecurity, most attention is paid to the technologies—both hardware and software—that can be deployed to both detect and mitigate cyber-attack threats. Another strategic and np less critical aspect of your company's cyber defense is its people.
The only catch is that they need to be informed of the important role they play. Doing that effectively requires a well-thought-out approach to your cybersecurity communications strategy.
At Rockwell Automation's Automation Fair 2023, a panel discussion focused on this issue and explained how companies can build a human firewall to protect their operations.
Drew Rose, chief security officer and co-founder of Living Security (a provider of training to address cyberthreats) noted that workers don't need to know everything about cybersecurity to be effective. “But they do need to know when to ask for help or raise a red flag,” he said.
"To teach workers how to do this," Rose said, "you need to make your communications about cybersecurity fit who the workers are. For example, if you're speaking to employees who work with automated machines, you should explain what an attack on your business means to the machines they work with."
Internally, Rockwell Automation stresses that cybersecurity is everyone’s business. “Our motto is 'cybersecurity starts with you'," said Paula West, IT marketing and engagement manager at Rockwell Automation. "We also show how the things we teach them about cybersecurity can protect them and their families—not just their workplace."
"The language you use is also important," said Alex Panaretos, director of professional services at Proofpoint (a cybersecurity platform provider). "There's a difference between asking someone to report something and asking them to notify you," she said. "When you ask people to report something, interaction tends be low. But if you ask for a notification so that someone else can handle it, we've seen engagement increase by 60%."
Up-to-date training
The cyber threat landscape is constantly changing. While the core tenets of good cyber practices will continue to protect a company's systems, workers need regular updates to keep abreast of the latest tactics.
West said Rockwell uses real world examples to keep employees up to date. "Talk about what's actually happened at your company," she said, "including attacks that were avoided or suspicious activities that have been detected. It's also key to understand the day-to-day realities of different worker's roles and the threats they may face in their work to help tailor your communications with them."
"We've had success with enterprise messaging," said Rose. "Updating teams with this method via short, regular updates can be effective. Move away from those 60-minute training classes every year to a 30-second video every week or two."
Rose added that it can help to talk about how the cyber-attacks they hear about in the news could impact your organization. "Your message has got to be more than: Ransomware is bad," he said.
"Build relationships between employees and your cyber help desk," advised Panaretos. "For decades, cybersecurity has been about technology and processes without recognizing there's a person involved in everything. To build those relationships, it's important for organizations to realize they have neurodiversity and cultural differences in their workforce."
"Try to understand why people are doing something," she said. "A loss of focus can be caused by caregiver stress experienced by the worker or other at-home issues. Having this level of interaction creates a human connection," she said. "People need to know they can make a mistake and recover from it. You need open dialogues. A silent organization is a dangerous one."