You may have heard about companies who take to shaming employees who have unintentionally caused a cyber incident at work. While it’s true that all it takes is one wrong click by a staff member, shaming staff isn’t the way to better cyber security.
An editorial in thinkdigitalpartners.com quotes British cyber firm CybSafe, “Formally punishing staff for making cyber security slips is, in the vast majority of instances, a problematic approach. It’s unfair and diminishes productivity. It can cause heightened levels of resentment, stress, and skepticism about cybersecurity. It may also trigger legal challenges. And people are much less likely to report quickly, if at all, when they are frightened of being punished for doing so.”
So, how can your business take a more positive approach to creating a cyber secure environment? Johanna Baum, founder and CEO of Strategic Security Solutions, suggests you try the following: "[Your] approach should be to increase overall learning and the individual threat intelligence of every user. It's hard, it requires significant patience, but is way more effective than setting a trap and full-scale mockery of the transgressor. No one wants to publish their internal cyber security test results."
Baum goes on to say that "openly discussing security initiatives, assisting your team in internalizing the global impact and promoting wide-scale security evangelism as an organizational imperative, rather than an IT mandate, goes a very long way to securing the organization—certainly much further than the fired employee who was the poster child for the failed shame game phishing test."
Setting up a cyber security culture around positivity can be difficult, but it is certainly more effective than using fear and shame. Remember, everyone makes mistakes. Even senior IT people can be fooled by a well-crafted phishing email. If you are trying to grow a more positive cyber security culture in your organization, talk to the experts at QuickProtect. They can help you build out a positive cyber awareness training program, along with providing you with other cyber security products and services to protect your business.