5 Ways to Get Users Thinking About Cybersecurity

With all the cyber threats out there, it’s unfortunate that IT teams continue to lose the battle with end users who disregard cybersecurity warnings. CompTIA’s chief technology evangelist James Stanger explains how to make users part of the solution and not a problem. Check out five ways to make your employees pay more attention to security concerns.

Today’s cybercriminals have a particularly large attack surface to exploit. Sometimes, they use a particular type of malware called ransomware. Other times, they exploit misconfigured servers or conduct a Distributed Denial of Service (DDOS) attack. But in most cases, they go after the weakest link in the chain: human beings.

1. Address the Most Common Cybersecurity Threats

When an attacker decides to go after a company, they will most often engage in social engineering. And usually, that means exploiting email. The vast majority of malware-based cyberattacks – in some estimates, over 90% – originate from business email compromise (BEC) attacks.

And that’s just malware. Today’s threat actors use email to go beyond malware delivery and engage in various forms of spear phishing attacks and impersonation tacticsOpens a new window . I’ve heard the same thing from security operations center workers around the world. 

Why? Because email remains the primary way that we communicate. Therefore, it’s the primary attack surface. Yes, attackers have turned their attention to additional services, including social media and instant messaging. But email remains the primary nexus of hacker and worker.

It’s only logical, then, for IT professionals to learn how to talk to end-users. After all, getting detailed, accurate information as quickly as possible can only help organizations respond more effectively.

2. Define Your End Users’ Role in Cybersecurity

End users can play two roles. They can either be part of the solution or part of the problem. Just today, I was talking with a cybersecurity professional from the United Kingdom. He works regularly with law enforcement in the City of Manchester, as well as officials in the British government. 

He put it very bluntly, saying, “If you don’t have good employee awareness of security, you’re never going to hire your way into being more secure.” 

I’ve also heard professionals state that not even the fanciest AI-enabled software can overcome the problems generated by untrained end-users.

3. Train Your End Users 

A critical step in managing an organization’s cybersecurity risk is an effective security awareness training program combined with enhanced communication from IT professionals. You can’t just keep trying to educate people; you must engage in enhanced communication. As a cybersecurity professional, it’s vital for you to talk to employees in a way they understand. 

Here are a few tips for communicating with end-users:

• Put a face on cybersecurity: Don’t just let IT pros work behind the scenes. Have a designated person or group of people become the face of security in your communications. This will help employees see cybersecurity as less of a technical nuisance and more of human concern.
• Use shared experiences: Tell stories about how you were in similar situations. Employees will identify. Doing so will build a sense of camaraderie, which helps morale and makes people want to learn more about how they can help you.
• Impart wisdom in brief snippets: You’ll never be able to explain everything all at once. And you shouldn’t even try. No one wants to read a long email that lectures them about technical steps. Few want to attend an hour-long security session. Break down the information in user-friendly ways
• Conduct two-way conversations: It’s not enough to have IT and cybersecurity workers communicate one way to end-users. Learning and communication have to be interactive, and it has to go both ways. Once employees see that a real dialog is happening, you will be amazed at how much they will improve compliance with the security policy and cybersecurity best practices.
• Change things up: Yes, it’s important to have written best practices always available for later reference. But, communicate in multiple mediums. One organization created a series of short, 5-minute videos showing experienced cybersecurity folks talking with an end-user about an essential practice in a low-key setting. Employees enjoyed the banter. Another organization holds 10-minute cyber town hall meetings, where IT pros and end-users ask and answer questions. As you break up the message and change up your communication style, people will begin to learn.

4. Work with Individuals, Not Just Groups

The best thing IT pros can do when working with end-users is to find ways to empathize with their issue. Most of the time, people will be quite upset that sensitive information has been compromised or that they are experiencing a problem. 

Once you show understanding, it’ll be easier to learn essential details about the particular issue you’re investigating. I’ve found that typical courtesy – including explaining why you’re here and asking how they’re feeling – will always make people feel better. Doing so doesn’t take much time and will help everyone involved.

To put someone at ease, it can help to tell a story about yourself or point out that many other people have experienced similar issues. Sometimes, people who are victims of an attack fear they will receive a reprimand or even lose their job. Focus on what your company’s security policy states – very rarely will a company blame an individual victim for a data breach. 

As you work to respond to an incident, find ways to communicate the next steps that you’re taking. Show them that your actions are policy-based and rely on industry best practices. 

Once people see that you’ve shown professionalism and empathy, you’ll find that it’s easy to work with them. Then you can begin to ask about their activities leading up to the problem. Asking open-ended questions will also help you find out exactly what they were doing when the security problem occurred.

5. Don’t Forget the Human Element of Cybersecurity

As organizations improve communication, they find that they reduce breaches because end users realize that information security isn’t just an abstract thing that was somebody else’s problem. Employees also realize that they are the first line of defense, in many ways, instead of antivirus programs and firewalls. Any experienced professional will tell you that improving communication in a cybersecurity awareness program is the primary risk management step to take.