Cybersecurity threats are an ongoing problem, and one that's growing: It's hard to go a month without some organization reporting a breach or other problems. There were, for instance, more reported instances of data breaches in the U.S. during the first half of 2018 than in all of 2013, according to a report on Statista.
Yet, no matter how extensive cybersecurity measures are, the human element is a regular issue: Specifically, how well employees comply with the new procedures, sometimes handed down from people far removed from the employees' department, who don't necessarily understand all the ins and outs of how those employees do their daily work. A well-thought-out plan can go sideways, for instance, if team members ignore some of the steps involved to save time or avoid hassles — something quite possible, if they don't understand why a task exists in the first place.
So how do you ensure individual buy-in, in order to keep your organization protected against data breaches or other security issues? Below, eight members of Forbes Technology Council share their preferred methods for boosting cybersecurity buy-in, as well as discuss why the approaches work. Here's what they said:
1. Make Understanding A Priority
Security and compliance actually have two separate goals. A compliance program should focus on the minimally invasive way to meet all public policy and industry rules to prevent fines or other sanctions. Security is about providing the correct level of protection to make an asset an unattractive target for a criminal. When employees understand the objective and outcome, you create buy-in. - Bret Piatt, Jungle Disk
2. Lay Out All Of The Facts
It has become abundantly clear in the last 12 months in the world of cutting-edge technology companies, that customer data must be protected and respected to a massive degree. Such behavior does not merely grant your firm a competitive advantage. Rather, it is singularly pivotal to your firm's very survival in the digital age. Make this fact clear to your teams on day one, and every day after. - Zia Yusuf, Velocity
3. Clearly Define Policies
Often employees are left guessing “what’s our policy?” The ISO Compliance regime allows companies to clearly define those policies or rules, and then audit. Employees aren’t left guessing, for example, whether they can connect their personal Bluetooth fitness tracker. Employees need to feel good about their role in security, model good behaviors, and to be the sentinels when things don’t look right. - Phil Quade, Fortinet
4. Make It An Employee-Managed Initiative
Make cybersecurity an “employee-managed initiative.” Involve them in the “internal security committee” that tracks compliance. Communicate cybersecurity's importance and the impact it has on the business using terms and language they understand. We use comic book-like imagery and sci-fi and comic language in posters across the office that reinforces the message without being suffocating. - Ashwin Ramasamy, PipeCandy, Inc.
5. Demo A Break-In
Typical security procedures seem more like theatre than security, forcing employees through repetitive steps with no clear meaning. One of the best ways I've found to get employee buy-in is to demonstrate how vulnerable the company is to security violations. You can do this by having employees attempt to break in themselves, or watch someone else do so. It makes security real to watch it fail. - Sean Byrnes, Outlier AI, Inc.
Read more in The Cybersecurity Maturity Model: A Means To Measure And Improve Your Cybersecurity Program
6. Create Security Roles
Protecting your company against attacks includes having a reliable team of experts in place who will identify risks in your network and business systems, while proactively creating mitigation strategy. Creating security roles and setting limited access required by each position and educating employees by holding yearly cybersecurity seminars will play a vital role in cybersecurity compliance. - Lana Vernovsky, Dynamics Resources
7. Make It A Part Of New-Employee Orientation
In our industry, we deal with sensitive customer data, including their bank account information. As part of new-employee orientation, I personally ask all new employees to safeguard this data and explain how our policies and training help us exceed customer expectations on protecting their confidential data. - Vinay Pai, Bill.com
