The Importance of Employees in Cybersecurity Strategy


Earlier this week we released Why People Are Your Best Defence Against a Cyberattack, the latest episode in Get IT: Cybersecurity insights for the foreseeable future, which is about the importance of employees in cybersecurity strategy. This six-part series brings cybersecurity experts from CDW and Cisco together to discuss trends and hot topics in the security space.

In Episode two, Julius Azarcon, national leader of cybersecurity services at CDW, and Rola Dagher, president and CEO of Cisco Systems Canada, examine the crucial role employees play in an organization’s cybersecurity strategy. Highlights of today’s discussion include the role of culture, how to develop good cybersecurity habits within an organization and how the right people and talent can help the cybersecurity industry get ahead of technical threats. Here are some of the topics they tackle in episode two.

Employees can make or break your cybersecurity strategy

Employees should be a central component of any cybersecurity strategy and play a critical role that is often underappreciated. As your frontline, they are both the best defense in preventing a data breach and the primary liability in enabling hackers to take control of an organization’s infrastructure and network. Properly training your employees on how to identify threats allows your organization to mitigate these issues and minimize the likelihood of infiltration. It behooves organizational leaders to be key drivers in this, as you need to ensure your people are provided with the right technology and processes to prevent any issues.

An organization’s security should be recognized as a business issue. People are the most important piece to solving this issue, and the vulnerability of indifference is a key concern. Organizations can only have strong and robust security protocols if employees are actively engaged and understand the value of cybersecurity. It’s important to remember that hackers only need to be right once to have a lasting impact on your organization and stakeholders, whereas you need to be right 100 percent of the time.  

Establishing a culture of trust

If employees don’t feel inspired or empowered in their day-to-day roles, it’s likely that they won’t take the cyberthreats your organization faces seriously. The desire to help their employer beyond their daily tasks is fostered by having a strong workplace culture. Without culture, there is no soul; establishing trust, transparency and constant learning as the foundation of your organization’s culture can go a long way to engendering feelings of organizational pride and openness to training.

Making cybersecurity training a positive experience

It’s crucial that cybersecurity training be a part of your team’s regular professional development sessions. It’s equally important that the content be relevant and personal for the intended audience. Should the training sessions not translate to your team’s day-to-day, the message and skill development won’t resonate. Additionally, the sessions need to be a positive experience. The importance of not blaming and shaming your employees can’t be overstated; employees deserve to operate in an environment of encouragement where they feel able to step forward and speak up without recourse if they find a weak point.

Cybersecurity training should be fun. One great way to accomplish this is through gamification. Crafting your training around competition and reward is a great way to keep employees engaged and make the sessions more dynamic for everyone involved. One example of this tactic is through a points system, where the employee with the highest score at the end of the session is given a reward. Another is through controlled setting war games, where your trainees are put in two different groups with multidisciplinary members of your organization in a mock network infiltration scenario. Get creative with gamification; not only does this strategy help your team develop a greater understanding of cybersecurity, but it also builds camaraderie and culture in your organization.  

Training and awareness in today’s remote landscape

While it’s important for organizations to allow their employees to be flexible given the current work from home environment, it’s equally important that employees are aware of the increased cyberthreats. Our personal and professional lives have blended as staff are simultaneously playing the roles of employee, parent, educator and counselor. Organizations need to simply and concisely convey best practices that employees can easily action to secure their home network, helping to minimize the risk of cyber incidents in our new remote reality – think principles versus technical details. Actionable best practices and effective low-hanging fruit include changing default passwords, creating strong passwords or passphrases, managing Wi-Fi network access and ensuring personal devices are up to date with the latest software.  

When looking to your organization’s management, it’s important that they clearly and succinctly share these steps to encourage best practices in and away from the workplace. Remember that data breaches do happen, and it’s typically upper management who must face the reputational and employment fall-out. Follow through and best cybersecurity practices implementation are essential at all levels, but good habits are important to develop from the top down. It shouldn’t take a pandemic for your organization to realize how important technology and cybersecurity education is to a business. If one part of your organization is at risk, then the entire operation – and likely management jobs – are equally vulnerable.

Where do organizations go from here?

It’s clear that cybersecurity threats facing organizations are increasing in frequency and sophistication. Organizations, in particular senior management, must recognize the prevalence, inevitability and dire consequences of today’s threat landscape and take the necessary steps to prevent becoming the next headline. You need to take a holistic look at your organization and ensure that the entire ecosystem is secure. Instilling the zero-trust security concept in your employees will reinforce the idea that a bad actor could try to take advantage of any vulnerability – however small – and cause irreparable damage to your organization’s network and reputation. Organizations need to prepare for the current and future environment, defend your infrastructure and respond to incoming threats by remembering the processes instilled in employee training. Having more open environments where workplace culture is the North Star will help.

Today, we’re seeing a fundamental shift in how organizations must operate and protect themselves. Whether it be developing a culture of trust, providing sufficient training or ensuring employees are prepared to be responsible digital citizens at and away from the workplace, it’s essential that your frontline staff be at the center of your cybersecurity strategy – now more so than ever.

For more insights on employees’ role in cybersecurity, listen to episode 2 now.