Most people think that a team has one person who is accountable for results. Legally, this may be true, but according to Patrick Lencioni, in The Five Dysfunctions of a Team, the more people who take accountability for results within the team, the better the team will perform.
You have probably heard axioms like “security is everyone’s responsibility”. You may have then, within a short time, seen evidence that not many people really take this statement to heart.
For people to believe that they have a responsibility for security, they have to have some clarity around what that means… to them.
One of the simplest ways to clarify the average employee’s security responsibility is to have executives model their own accountability, on a personal level. This means sharing stories of how a phishing attack or scam impacted them, and what they did about it.
This makes it easier and more relatable to convey the message that anyone, from the top executives to the newest, junior employee, can be a target.
Photo: Shane Rounce via Unsplash
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
In fact, all employees will learn how to spot risks and act appropriately from a continuous program of published risk scenarios that are faced by employees at all levels and in all functional areas, on a regular basis.
How this is done can be tailored to the communication methods of the organization. But one scalable way to reach most employees is through Click Armor’s weekly challenges. These are short, 3-minute gamified exercises that illustrate risks in an immersive and interactive way.
A regular program of challenges can show employees the kinds of risks they may face, and guide them on how to avoid becoming a victim.
When employees see that everyone is facing these risks on a regular basis and that there are tools to help them defend themselves effectively, they will find it easier to take accountability for managing their own risks. Then, the team will become more accountable, as a whole, for cyber security.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.
Why live phishing tests suck: Lack of clear guidance
Employees must be given clear, consistent guidance on what to look for, and how to handle suspicious messages.
This may seem obvious, but most organizations are too vague in their guidance to employees, and rarely try to reinforce it.
Unless employees are in externally facing roles, where they receive many external inquiries, they are not often thinking about this.
You need to be constantly reminding employees about what they should look for in sender addresses, link URLs or body content.
Without this guidance, you should expect random fluctuations in their ability to avoid suspicious messages in phishing tests.
Testing people on knowledge they have rarely seen is unfair and unproductive.
You should be using an awareness program that provides ongoing, practical tips and allows them to practice using them to spot threats in a safe environment.
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.