In the early 1980’s Ford Motor Company’s slogan was “Quality is Job 1”. That mentality was born from Ford’s President, Philip Caldwell, who believed the only way to compete in the automotive industry was to stop pushing out large quantities and focus on the quality.
That change made a big impact. The slogan lasted 17 years and helped make Ford one of the top auto makers in the world. The reason that initiative worked for Ford wasn’t just because it was a catchy phrase. It's because the mentality behind it was embraced by every level of the company. From janitors to the CEO, everyone believed in the message.
For your company to have a successful cybersecurity program, you also need the whole team to get on board!
Why Does Company-Wide Cybersecurity Matter?
According to the Verizon Data Breach Report in 2019, one-third of breaches had a social engineering component. Meaning, the people inside the company, and sometimes outside, are a big part of the problem. Without education or training, employees may open dangerous emails, allow a stranger into the building, or give away private information on the phone. Hackers have become savvier and increasingly rely on exploiting human behavior. That means business leaders and employees need to be constantly adapting with the times, as well.
A significant breach of your company could be detrimental. Not only could it cost the company money, it could also cost people their jobs. That’s why, as business leaders, you need to start the cybersecurity conversation as soon as possible.
It’s More Than Just Training
There’s a difference between training and awareness. Training is the initial education activity. Awareness is an ongoing reminder.
Training is important in cybersecurity because hackers are always evolving, and it’s crucial to stay on top of the latest trends and threats. However, it’s not going to be the most important key to keeping your business safe. What really sticks with people is the connection they feel with the message. Just like Ford, you need all levels of the company to understand and support the mission of cybersecurity.
Take manufacturing plants for example. All plants should have a safety coordinator on staff checking for issues and coming up with incident prevention plans. A company whose leadership believes in that mission, and promotes the health and safety of their employees, will have a lower accident rate!
On the flip side, if a company’s top executives are primarily concerned about profit they will eventually see the effects of that with more dangerous incidents on the job.
Employees need to know the leaders in the company care. They need to see the highest level of executives spreading awareness by continually talking about things like governance policies and avoiding scams. If their boss doesn’t seem interested in cybersecurity, why should the average employee go above and beyond?
Lead by Setting an Example
If you talk the talk, you better be ready to walk the walk. Business leaders should have the same set of guidelines as the rest of the company when it comes to cybersecurity. If an executive opens a phishing email and compromises company data, they should face the same repercussions anyone else would.
That brings up another point many businesses fail to address. There need to be set consequences for not following cybersecurity protocol. These rules should be discussed openly, and not following them should be taken just as seriously as safety or money violations. Leaving your company vulnerable to a data breach is the same as leaving a cash drawer open in public. People at all levels can compromise the company’s security and they should all be held accountable by the same standards.
Cybersecurity is a Culture Issue
For people to care about cybersecurity, they need to feel a personal connection. If you can show them how their actions impact their own livelihood and their peers’, they may feel more convicted. Try to create a personal connection to the value of cybersecurity.
A good example to share with employees is someone who has access to their personal data. If you know a business or medical provider has your sensitive information stored in their system, don’t you hope the employees there are protecting it? Like public health, cybersecurity is just as much for the employee’s protection as it is for the communities’ safety. Everyone should try their best to keep data protected; whether it’s their own, a colleagues’, or a stranger.
You can't force people to care. Employees must buy into the importance of the mission for it to sink in and work. As a leader in the company, you need to make it a core value everyone appreciates.
One Size Won’t Fit All
Trying to decide how often to do cybersecurity training, or when to discuss awareness campaigns, really depends on your business. The frequency and delivery vary on the risk to your organization, job duties of each employee, and the technology the employees use. There are so many factors to consider, which is why it’s best to analyze your own situation thoroughly before starting cybersecurity initiatives without much thought. It’s all about determining risk and addressing those concerns through a prioritized approach.
There also needs to be follow through. Don’t just slap on some policies and forget them. Cybersecurity needs to be continually evaluated and at the heart of what you do every day. It needs to be just as important as the rest of your business to become a part of the culture. Without people buying into the message and mission, you will always be at a higher risk of a cyber-attack.