Public acknowledgement and rewards for engaging in cybersecurity best practices will result in greater workforce buy-in and participation, according to a security author and expert.
"You don't just make it a negative thing," said Jayson Street, vice president of infosec for Manhattan-based consultancy SphereNY. "Usually when they do carrot and stick, we've got more stick than carrot."
Every employee that forwards a phishing email to the IT department should get entered into a quarterly drawing for a reward like a $100 Amazon gift card, Street said. Street delivered a keynote address Wednesday at XChange University: IT Security, hosted by CRN parent The Channel Company.
Street said this type of initiative can get a broad swath of employees engaged with what secure policies look like at a relatively minimal cost to the company. In Street's experience, this initiative has led not only to the catching of simulated phishing emails sent as part of the contest, but has also resulted in employees flagging and identifying legitimate phishing attempts from bad actors.
Employees should be personally thanked by the IT department for reporting a phishing attempt or any other potential security incident, Street said. He also recommended sending out a newsletter that publicly acknowledges the employees that have reported phishing attempts.
"Give them that public recognition," Street said. "Make it part of a competition."
It's important that employees not feel demoralized when it comes to their security posture and preparedness, Street said. "You're dealing with people, not servers," Street said. "Servers don't get their feelings hurt when they're compromised."
One simple thing Street recommended is having the IT department go through the offices and look under the keyboards of every employee. The security team is likely to find that a number of workers have left a sheet of paper in that location with all of their passwords written down, which Street said presents a good, real-world opportunity for user education.
Solution providers also need to make the security training engaging for customers, Street said. A multiple-choice online quiz that's administered yearly isn't going to capture employees' attention or truly make them security-conscious, according to Street.
"Make it something interesting for them, which will then make it interesting for you," Street said. "That's how you battle the battle fatigue."
Once employees are engaged, Street said solution providers should then take a deeper dive into what exactly they're securing and which parts of the network should be given the highest priority. This involves figuring out whether the customer cares about availability or integrity more, as well as what technology-wise is actually making them money.
For instance, Street said some businesses wouldn't care if their website was hit by a DDoS attack and was down for two days. Other companies, though, would be completely lost if their website was down for just two hours, and would be at risk of going out of business entirely in the event of an extended outage, Street said.
"You need to understand what you're trying to defend," Street said.
At the end of the day, Street said businesses can only mitigate a portion of their risk, with some of the rest being offset by a good managed security service provider and the remainder having to be accepted by the end customers. Solution providers need to educate the C-suite on responsible procedures for mitigating risks, Street said, as well as the challenges associated with risk that's unmitigated.
"You can only mitigate so much," Street said. "You have to let them know that they are accepting some risk."
Solution providers need to take the time to learn business terminology to effectively communicate with corporate leadership rather than putting the onus on the C-suite to learn IT vocabulary, Street said. Numbers and metrics that capture the gravity of the security situation businesses are facing go a long way toward capturing the attention of executives, according to Street.
For instance, Street said solution providers can track the number of malicious emails that were thwarted going through the network, as well as the number of scans for malicious activity that were blocked by the firewall. This level of insight will help cybersecurity move beyond being seen at a cost center, according to Street.
"Give them a different view, let them see something different," Street said. "When they're engaged, you get money, which is good for everybody."
Enterprise Data Concepts (EDC) has been playing around with gamification internally and trying to find a system that can overcome the implementation hurdles, said COO Roddy Bergeron. The Lafayette, La.-based solution provider has tried giving its own employees gift cards or time off when they report something that's in violation of the internal IT policy, Bergeron said.
As it rolls out gamification to clients, Bergeron said EDC will look into providing office-wide rewards or lunch-and-learns to companies where employees have reported an issue.
Bergeron also appreciated Street's push for positive reinforcement rather than negative feedback. Employees are more willing to change their behavior when it takes the form of praise rather than badgering, he said.