How to get your employees to care about cybersecurity

Register now

With each highly publicized data breach or cyberattack, it becomes increasingly evident that businesses can’t sit back and hope their security strategy is strong enough to withstand an assault. Something needs to be done sooner rather than later – and you need the support of your employees.

You can design a thorough, comprehensive cybersecurity strategy that protects your business from all major threats and weaknesses, but all of your efforts are futile without the support and cooperation of your employees. They’re the engines that make the entire operation run. Without them, you’ll find it impossible to execute to the degree that’s necessary to be successful.

Unfortunately, employees aren’t always immediately willing to buy into a new security strategy. Their hesitancy is usually rooted in three underlying factors:

  • Lack of awareness. Sometimes employees simply don’t understand the need for greater security. As such, they view any new rules or changes as unnecessary and a waste of resources.
  • Inconvenience. Even when employees do understand the need for advanced cybersecurity, they can be hesitant to adopt new solutions that are inconvenient on the user side of things.
  • Resistance to change. One of the major underlying factors is a resistance to change. People generally prefer to maintain the status quo and will do whatever they can to avoid significant change.

In order to get employees to buy into a new security strategy, you’ll have to identify which of these factors are in play and overcome them through careful execution.

How to get employees on board
Getting employees on board with your new security strategy isn’t a challenge to take lightly. However, here are some simple steps you can take:

1. Help employees understand why

Employees don’t always have the same level of understanding about security issues that you possess. It’s not something they have to worry about on a daily basis, so it doesn’t seem like a pressing issue. It’s your job to make them understand why it’s important.

Two-factor authentication (2FA) is a great example. Initially, employees won’t like the idea of having to perform two steps in order to log in – understandably so. But you can help them understand why it’s necessary. explains it like this: “2FA is your last line of defense and a very good one at that. Should a hacker compromise your unique password, they still would not gain access unless they had your cellphone and could receive the 2FA unique code.”

Sometimes an explanation is all that’s needed. Take the time to explain why you’re implementing changes and what value it yields the business and its employees.

2. Cast a vision

In conjunction with explaining why new security measures are needed, you also need to lay out a vision that helps them connect the dots.

“Clearly state what is changing and why. Show employees where you are today and where you intend to be tomorrow,” entrepreneur Lindsay Broder writes. “Make sure you show them why this matters to the organization, how it will positively impact their careers and how you plan to measure success.”

3. Implement the right training

The best type of training happens when employees are able to participate, as opposed to being subjected to classroom learning and lectures that are difficult to grasp.

The training portion of your implementation is arguably the most important piece. Take it seriously and develop exercises and practices that teach them how to handle specific situations that they’ll encounter on a regular basis.

4. Follow up

After implementing your new security strategy, there has to be some follow-up. In other words, you need to gather feedback, analyze data, and address how change is happening on both a micro and macro level. Anything that isn’t adding up will need to be changed, optimized, or refreshed.

Don’t underestimate the importance of having support from the bottom-up. You can’t implement a successful cybersecurity strategy without getting your employees to fully buy in. By focusing on their hesitancies and resistance, you can improve adoption and enjoy a smoother roll-out.

What will you do?

(This post originally appeared on the ISACA blog, which can be viewed here).

For reprint and licensing requests for this article, click here.