Three Ways to Gain Employee Buy-In to Your Company’s Cybersecurity Plan

Most executives receive plenty of warning about the importance of network security.  Emails from vendors, insurance agents and managed service providers all describe the damage that a data breach can cause.  Often, the prescription is technology and policies: more firewalls, more backups, and more passwords.  They all help to a point.

The reality is that the best defense against whatever next week’s big cybersecurity threat turns out to be is a skeptical workforce.  What companies really need more than anything else is employees that instinctively slow down and ask “Does this make any sense?” when they receive an email from the CEO, or a client, or even just a social media platform.  That level of thought requires effort, and it adds a few extra seconds of thought each time a request comes in through their mailbox (and over 90% of cyber-fraud is email-initiated).


How do you gain that level of employee buy-in?  Beyond training, you have to get them to care about cybersecurity.  Here are three ways to do just that.

Employee Testing

Preventing cybersecurity isn’t about what your employees know, it’s about what they do.  That’s why you can’t simply test an employee’s knowledge to bolster your security stature.  You have to test their behavior.  Programs such as KnowBe4 test employee behavior with simulated scam emails – and they let both the employee and management know if they fall prey to a trap.  These sorts of on-the-job drills take seconds of an employee’s time, but can transform behavior quickly.

Emphasis from the Top

If you haven’t experienced cybersecurity fraud, it’s common to think you won’t experience it.  Your employees probably know it’s happening all the time, but they assume it’s happening to people unlike themselves; more senior managers, bigger companies or companies with bigger secrets.

That’s why personal stories can hit home.  If someone on your leadership team knows a story of a similar company that experienced security fraud, it can be a powerful story to tell if you’re able to provide enough detail to make the story impactful while protecting the company’s identity.  How did it get in the network?  How did it affect the company’s bottom line?  Did they have to let anyone go as a result?  Using a story like this as a segue to why your company is starting to emphasize cybersecurity helps to let employees know that this isn’t another “management initiative” but something that could protect the company from disaster.

Recognition and Small Rewards

One way to bring attention to the fact that these emails really are being targeted to your company is to turn identification of them into a contest.  Have employees send suspicious emails to an IT resource who can verify whether they are threatening or not.  If they are, put those people into a random drawing for a small prize monthly or quarterly.  When the prize is awarded, provide some of the “Best of” emails, which were either extremely convincing or comically bad.  This accomplishes two goals: demonstrating recognition for employees who take the company’s security seriously, and also pointing out just how often the emails come into the company network.

To learn more about how WingSwept can help keep your company protected from cyber attacks, call us at 919-779-0954 or email us at Team_WingSwept@WingSwept.com