Have you ever asked a question and started it by saying "This may sound stupid, but…"? And how many times has someone responded to you, making you regret you ever asked that question? We've all been there at some point. And it feels terrible. So terrible that sometimes we end up keeping our mouths shut next time we have something to ask.
What if I told you that same principle could be a deciding factor in determining whether your company stops a cyberthreat or not?
If I've learned anything working here at Security Innovation, it's that employees are an organization's weakest link when it comes to cybersecurity. If those employees don't feel comfortable speaking up if they feel they did something wrong, then they're not going to! And guess what? Your organization could suffer from the consequences.
All employees should be trained on security awareness best practices, but attacks these days are so realistic and sophisticated that sometimes, things unfortunately do fall through the cracks. Employees need to feel comfortable coming to the security team if they think something could be wrong. It could be the determining factor in whether you stop the threat before it becomes a serious issue, or let that malicious link they just clicked on continue to cause more damage because it's not being dealt with.
So how do you get your employees to speak up?
Let People Know You're There
The first step is let people know you exist. It sounds simple, but I've worked at small organizations where our IT staff wasn't on site...I never met the guy and the only interaction I ever had with him was when I needed a replacement cable for my monitor. Employees will only actively seek you out when they think they have an issue, but if you engage with them on a regular basis, (let's say send them an email about a new threat to watch out for) they'll become more comfortable speaking to you on other topics. Yes, you will likely get some ridiculous questions (I asked an IT guy once why my mouse wasn't working...turns out the batteries were dead), but even if an employee does feel comfortable speaking up, they may not even think it's important to notify the team if they don't know it's an issue in the first place. Send a friendly reminder every once in awhile, and let everyone know you're there to help when they need it.
Remember: No Question is a Stupid Question
I admit I ask dumb questions all the time, but I wouldn't if I thought someone was going to laugh at me for asking it. You have to remember, us non-techies aren't engineers and what seems obvious to more technical folks, might not be as obvious to us. If an employee at your organization emails you and asks "Was I supposed to send the Prince of Nigeria all our bank account info?" your first response shouldn't be "Why would you even think that was a legit request?" I know you're probably thinking it, but it's not going to make the situation any better by saying it. They also probably won't ever come back to you in the future knowing how the situation was handled the first time. Instead, use this time to gather information on exactly what happened...and then you can go into panic mode to start fixing the problem.
Constructive, Not Destructive Criticism
If an employee did do something wrong, take the time to help them understand why what they did was wrong and how they can prevent themselves from falling into the same trap in the future. We all make mistakes, but we also learn from our mistakes. If an employee doesn't understand why what they did was wrong, odds are they'll probably do it again in the future. And next time, your organization may not be so lucky if they don't report the problem.
A solid security awareness training program can help employees understand common cybersecurity threats like how to spot phishing scams or detect malware. But employees often need an extra push from others around the organization. Try testing your employees using a phishing simulation so they can experience first hand what a fake email might look like and how it should be dealt it. Reinforce the program by reminding employees about new threats and how to protect against them. We look to the experts to help us out and to educate us on protecting the organization against cyberthreats, and if you give us that extra push we'll start becoming an asset rather than a risk.