Knowledge from our cybersecurity and risk management experts

Employee Buy-in: Reaching the Unreachable

Written by ProCircular Team | Sep 9, 2019 4:02:00 PM

In security, it’s often said that you will have little success within an organization if you do not have buy-in from management. However, there’s a larger group that is often-overlooked though critical to a successful security program. And they impact all aspects of your security posture. That group, of course, is the end users.

Previously I talked about how to pull together a reward-based training program to help internal training and awareness with regards to phishing (you can check it out here) and we’re going to continue on that rewards-based train… ish. Our focus for today is, “what about employees who don’t have any interest in earning a reward” or those who seemingly have no interest in anything but what they are there to do from 9-5.

These worker bees can be hard to bring into the security fold, sure. Disinterested in our field, or really anything but what they are there to do at their desks, going through the motions to get their work done, or maybe just dedicated workers in what they do specifically. In my time in IT and Security, I have found a few ways to muster response and interest from these individuals, but it’s also important to note that they are just that: individuals. They have their place and space they operate in and it may take some finesse to get them engaged.

There’s an old saying, “everyone is an asset”. There are positive evaluations of this, in that everyone has something to contribute to something. And there are more… Clandestine evaluations of this, in that everyone has a value, or something they value, that can be leveraged. For employees that are stuck in day-to-day motions, I find the latter approach to the asset to be most effective. Maybe it’s the Social Engineer in me, but without malicious intent I like to think of it as more “a redirection of priorities that helps guide them to a safer mindset” than a direct “exploitation of behavior patterns”.

One reliable way, especially for anyone with a family-oriented background and interest (has kids or elderly parents as many of us do now), is to leverage their time away from work to better ‘retrain’ their mindset to a more security focused viewpoint. Many of these individuals are there to get their work done and go home to their lives where their true interests reside. Why not put the pressure there and think of a way to inject a little security into their interests? If we continue to work in the mindset that ‘everyone is an asset’ we should realize that we too, are assets. Which means we can bring them an offering that helps their interests directly. Something like a weekly or even monthly security newsletter that includes some information on the company’s security status sure, but more importantly a focus that includes some external resources or news stories that incorporate Information Security as applicable to their personal lives. Use these stories to your advantage and put a little spin on it. Give some perspective and information on how these stories may affect these employees or their family members. Information like “High vulnerability in the elderly community to scams” or “strong password creation techniques to help secure your children’s Facebook account” (do kids even use Facebook anymore?) after a breach. “Do you have a Capital One credit card? A large breach over the weekend may have affected you” - by creating talking points with the idea that it potentially impacts those people in an area that they have a dedicated interest in, you will help to bolster their interest in security overall.

It’s a self-feeding cycle, as the employee begins to think about things from a more security-oriented point, their overall mindset begins to be more security minded, and the more security minded an individual is, even in their personal life, the more it bleeds through in the rest of their daily functions like work!

These little bread crumbs will also help to spark some overall appreciation for the security department in that, not only are they protecting the business, they are looking out for the employees as well, which furthers to bring the ‘brand image’ (gag) of the security department into a more favorable light. Hell, you might even spark up some conversations about these articles and have the opportunity to further inform.

Overall, whether coordinating/running or being part of a security team within an organization, it’s always important to think of the employees as an extension of that security team. They are the front line and boots on the ground that observe the majority of security incidents before the actual security team is aware of them. It’s often taken as a running joke that the end users are the biggest problem that we face in security. The PEBKaC (Problem Exists Between Keyboard and Chair – aka user error) mentality is funny, sure, but its not productive, and just serves to further distance and divide the employees from the Security Team. Any work put into fostering knowledge and understanding will pay off in the long run. And who knows, you just might help to save someone’s grandma from sending $6,500 to ‘cousin Jeff’ in Florida… Just imagine the optics on that!

If you'd like more information on how to engage your employees or our Employee Awareness Training, contact us today!