Black Friday Sale! 50% Off All Access

How to Create Security Awareness at Your Company Set up a mock phishing email among your employees to see who takes the bait -- and who's the most gullible.

By Robert Siciliano Edited by Dan Bova

Entrepreneur+ Black Friday Sale

Our biggest sale — Get unlimited access to Entrepreneur.com at an unbeatable price. Use code SAVE50 at checkout.*

Claim Offer

*Offer only available to new subscribers

Opinions expressed by Entrepreneur contributors are their own.

REUTERS | Steve Marcus

Imagine this fantasy: At your company, sensitive customer data is impenetrable. Hardware is secure. And every single IT specialist in your employ has the resources and funds to make all of this happen.

Related: Expert Advice: How to Up Your Cyber Security

But, no, it's time to pinch yourself and wake up. The reality is that no matter how secure the nonhuman end of things is, the mere existence of people using a system will always mean the potential for data breaches.

Should we throw in the towel? Of course not. If we did, cyber criminals would practically rule the world.

Instead, we should focus on increasing security awareness in the workplace, from the ground up and from the top down: We should teach workers how to handle data to minimize the potential of its falling into the wrong hands. A couple of strategies:

  • Tell employees that a data breach could mean the loss of their job. This will give them incentive to become more security aware.
  • Impress on employees the warning signs of a cyber attack so that they can more easily spot suspicious activities.
  • Every employee, old and new, should be thoroughly instructed on security at the level of the individual computer. And new employees, before they officially begin work, should complete this training before accessing the company's network.
  • Install technology that will detect when employees are doing something they shouldn't. The software will alert them in time to take corrective action as well as enhance their learning experience.
  • Set up mock "phishing" emails to see who takes the bait. "Internal phishing" will teach employees how to be smarter and less gullible.

So, what are some ways to maximize security awareness? Here are eight.

1. Establish a baseline.

Before you can get awareness efforts going, you must first collect all the metrics to establish a solid reference point. An example might be the results of the staged phishing. Metrics are important, as they will enable you to gauge the success of effort.

2. Be realistic.

Don't think in terms of banning a certain activity, like involvement with social media, but rather of teaching employees to be judicious about it.

3. Use lots of tools.

A program for security awareness should involve multiple venues such as video games, newsletters, mock phishing and whatever else comes to mind.

Related: What Startups Need to Do to Be Cyber Secure in 2015

4. Be creative.

Even if funds are scarce, you can still make the learning process more fun than drudgery. For example, give boxes of candy canes out for the holidays, but tucked inside each box enclose the company's security policy. Employees will more likely read the policy if it comes with candy canes than if it's simply mailed, or handed to them in the office by the boss.

5. Seek high-ranking executive support.

Once the "bigwigs" get involved, employees lower on the chain will more likely follow suit. How can we get "C-level" decision makers on board in the first place? Tell them that return on investment is contingent upon security. That will get them hopping. Another way to grab their attention is to send out newsletters specifically for them, which will add to their feeling privileged. In the newsletters, include information on security awareness.

6. Recruit other departments.

No department is too unimportant to be involved in security awareness. Get every department involved, even your housekeeping and cafeteria staffs. But especially go after your marketing, legal and human resources departments, because they're in a position to make security awareness a requirement.

7. Re-evaluate.

Re-evaluate your new program every 90 days, without fail. This approach has been shown to be quite effective. To avoid information overload, emphasize maybe three topics at a time over the three-month period. Then, 90 days later, see what needs to be revised, based on those three topics.

8. Hit close to home.

Get employees to focus on themselves; don't harp just on security awareness that affects the company. Make workers understand that security is about them, too, not only the elusive bigwigs. Talk to them about the most common scams and tricks cyber criminals use, and how to protect themselves at home, with tools such as firewalls and wireless VPNs.

Related: U.S. to Establish New Cybersecurity Agency

Robert Siciliano

Personal Security, Privacy and Identity Theft Expert

Robert Siciliano, CEO of IDTheftSecurity.com, is committed to informing, educating and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Business News

DOGE Leaders Elon Musk and Vivek Ramaswamy Say Mandating In-Person Work Would Make 'a Wave' of Federal Employees Quit

The two published an op-ed outlining their goals for their new department, including workforce reductions.

Real Estate

Why Real Estate Professionals Should Prioritize Social Responsibility

Integrating social responsibility into real estate can foster community change, build trust and drive long-term business success.

Business News

Here's How Much Money You Need to Make in Order to Be 'Successful,' According to Each Generation

A new survey by Empower outlines how Americans of different ages define success.

Starting a Business

Why Are So Many Course Creators Struggling if It's 'Such an Easy Business'? Here's the Truth Behind the $800 Billion Industry

Creating an online course is so easy — at least, that's what many "gurus" would like you to believe. There's a lot of potential in the $800 billion industry, but here's why so many course creators are struggling.

Growing a Business

Customers Want More Than Just a Product — Here's How to Meet Their Expectations

Creating a seamless, personalized experience is just as critical as having a great product or service, if not more so — it's the key to winning customers and keeping them loyal.

Franchise

McDonald's $5 Meal Deal Will Stay — And a New 'McValue Menu' Is on the Way in 2025

The McValue Menu is slated for a January 2025 debut and will feature a selection of budget-friendly items, allowing customers to customize meals at a lower cost.