author photo
By SecureWorld News Team
Mon | Oct 9, 2017 | 10:20 AM PDT

We hear this all the time from InfoSec leaders at our SecureWorld cybersecurity conferences in North America: "Cybersecurity in the workplace is everyone's business." 

That ties in nicely with this week's theme for National Cybersecurity Awareness Month in 2017.

Now the question: if cybersecurity is, in fact,  everyone's business, what actually works to gain employee buy-in on cybersecurity?

3 human factor awareness methods to get employees to take cybersecurity seriously

Here are three methods for getting employees to care about cybersecurity.

1. Security awareness strategy: Consequences for repeat cybersecurity failures

"After three warnings, we will shut down their incoming and outgoing email," says Mitchell Sprinsky.

The Chief Information Officer at Spectrum Pharmaceuticals believes in tough consequences for end-users who continue bad security behavior.

"First is a discussion with their manager. If there are persistent problems, the employee is referred to HR for an improvement program. If there is no improvement, then there is possible termination, but we've never gotten to that point.

2. Security awareness strategy: Counseling instead of consequences for employees

Alan Levine, former CISO of both Alcoa and Arconic, says the InfoSec team should make things personal. "Counseling may be necessary, but not counseling that involves HR. If you transfer that responsibility to the HR department, you have become an enemy of the people," he says.

Levine, who is now a consultant for Wombat Security Technologies, says the InfoSec team should make time for a personal visit or a remote visit for repeat offenders, where specific best practices can be discussed.

3. Security awareness strategy: Making security personal by starting at home

Mike Muscatel, Information Security Manager at Snyder's-Lance, Inc., calls security awareness training a shared responsibility. He really believes in making things personal and relatable to employees everyday lives to gain their attention.

"At the end of the day, the attack often doesn't start at the company, it starts at home. Because they need a way in. Bad behavior at home, like password management, can follow you to work."

How do you implement these approaches? What does creating a solid security awareness program look like? Check out our stories on "Consequences of Counseling? Employees Who Repeat Bad Security Behavior," and "New Phishing Research, Ideas for Improving Your Security Awareness Program" for data on phishing and the human factor.

SecureWorld is proud to be a partner of National Cyber Security Awareness Month.

For the latest cybersecurity news follow SecureWorld on LinkedInTwitter, or Facebook.