How to Create Security Awareness at Your Company Set up a mock phishing email among your employees to see who takes the bait -- and who's the most gullible.

By Robert Siciliano Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

REUTERS | Steve Marcus

Imagine this fantasy: At your company, sensitive customer data is impenetrable. Hardware is secure. And every single IT specialist in your employ has the resources and funds to make all of this happen.

Related: Expert Advice: How to Up Your Cyber Security

But, no, it's time to pinch yourself and wake up. The reality is that no matter how secure the nonhuman end of things is, the mere existence of people using a system will always mean the potential for data breaches.

Should we throw in the towel? Of course not. If we did, cyber criminals would practically rule the world.

Instead, we should focus on increasing security awareness in the workplace, from the ground up and from the top down: We should teach workers how to handle data to minimize the potential of its falling into the wrong hands. A couple of strategies:

  • Tell employees that a data breach could mean the loss of their job. This will give them incentive to become more security aware.
  • Impress on employees the warning signs of a cyber attack so that they can more easily spot suspicious activities.
  • Every employee, old and new, should be thoroughly instructed on security at the level of the individual computer. And new employees, before they officially begin work, should complete this training before accessing the company's network.
  • Install technology that will detect when employees are doing something they shouldn't. The software will alert them in time to take corrective action as well as enhance their learning experience.
  • Set up mock "phishing" emails to see who takes the bait. "Internal phishing" will teach employees how to be smarter and less gullible.

So, what are some ways to maximize security awareness? Here are eight.

1. Establish a baseline.

Before you can get awareness efforts going, you must first collect all the metrics to establish a solid reference point. An example might be the results of the staged phishing. Metrics are important, as they will enable you to gauge the success of effort.

2. Be realistic.

Don't think in terms of banning a certain activity, like involvement with social media, but rather of teaching employees to be judicious about it.

3. Use lots of tools.

A program for security awareness should involve multiple venues such as video games, newsletters, mock phishing and whatever else comes to mind.

Related: What Startups Need to Do to Be Cyber Secure in 2015

4. Be creative.

Even if funds are scarce, you can still make the learning process more fun than drudgery. For example, give boxes of candy canes out for the holidays, but tucked inside each box enclose the company's security policy. Employees will more likely read the policy if it comes with candy canes than if it's simply mailed, or handed to them in the office by the boss.

5. Seek high-ranking executive support.

Once the "bigwigs" get involved, employees lower on the chain will more likely follow suit. How can we get "C-level" decision makers on board in the first place? Tell them that return on investment is contingent upon security. That will get them hopping. Another way to grab their attention is to send out newsletters specifically for them, which will add to their feeling privileged. In the newsletters, include information on security awareness.

6. Recruit other departments.

No department is too unimportant to be involved in security awareness. Get every department involved, even your housekeeping and cafeteria staffs. But especially go after your marketing, legal and human resources departments, because they're in a position to make security awareness a requirement.

7. Re-evaluate.

Re-evaluate your new program every 90 days, without fail. This approach has been shown to be quite effective. To avoid information overload, emphasize maybe three topics at a time over the three-month period. Then, 90 days later, see what needs to be revised, based on those three topics.

8. Hit close to home.

Get employees to focus on themselves; don't harp just on security awareness that affects the company. Make workers understand that security is about them, too, not only the elusive bigwigs. Talk to them about the most common scams and tricks cyber criminals use, and how to protect themselves at home, with tools such as firewalls and wireless VPNs.

Related: U.S. to Establish New Cybersecurity Agency

Robert Siciliano

Personal Security, Privacy and Identity Theft Expert

Robert Siciliano, CEO of IDTheftSecurity.com, is committed to informing, educating and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Making a Change

Expand Your Global Reach with Access to More Than 150 Languages for Life

Unlock global markets with this language-learning platform.

Business News

A Government Shutdown Could Cost the U.S. Economy $6 Billion a Week, According to EY's Chief Economist

Experts from EY tell Entrepreneur that a government shutdown could leave "a visible mark" on the economy.

Business News

'We're Not Allowed to Own Bitcoin': Crypto Price Drops After U.S. Federal Reserve Head Makes Surprising Statement

Fed Chair Jerome Powell's comments on Bitcoin and rate cuts have rattled cryptocurrency investors.

Leadership

The End of Bureaucracy — How Leadership Must Evolve in the Age of Artificial Intelligence

What if bureaucracy, the very system designed to maintain order, is now the greatest obstacle to progress?

Business Ideas

Is Your Business Healthy? Why Every Entrepreneur Needs To Do These 3 Checkups Every Year

You can't plan for the new year until you complete these checkups.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.