Cybersecurity /ˌsaɪ.bə.sɪˈkjʊə.rə.ti/ [noun] A word we hear all the time and think it won’t be an issue for us, whilst crossing our fingers behind our backs and hoping it won’t be.

If you are a people manager, business owner or just a parent with a youngster who has all your credit card details stored on their iPad, read on.

Cybersecurity is not a sexy subject- but protecting your employees and educating them on cybersecurity should probably be at the top of your list for 2023.

Why should anyone care?

We could put some scary statistics in here but the fact is, no one cares about cybersecurity until it affects them or their business. Cybersecurity attacks can destroy profits, morale and brand reputation but whilst a more cyber-savvy workforce will help a business by spotting attacks a little more easily, companies often make the mistake of tailoring the cybersecurity message towards protecting the business, not the employee.

If your employees are safe online at home they will be safer online at work. They will be less stressed, probably a little less embarrassed and maybe a bit richer for it. But many companies fail to engage their employees and baffle them with tech-speak.

As a trainer, I use humour to engage people in this subject (yes really it can be done) and here are my golden rules for making cybersecurity training less boring and stressful.

#1 Engage, entertain and retain

In a world full of content, employee attention is fleeting. By designing training centred around the needs of your employees, you help keep them and their loved ones safer online and by default your business. If you deliver it in a fun and engaging way that allows them to ‘teach’ it back to people, it will not only engrain the message but also help them retain it.

3 Steps to Success:

1 Engage your employees in keeping themselves and their families safe.

2 Create training that is entertaining so that your employees can easily teach it to other people.

3 Encourage them to teach it, to help them retain it.

#2 Did someone call the Fire Brigade?

The first thing people need to know is what to do, who to contact and how. This is of primary importance. Think about a fire alarm drill- most people know where the exits are, not to use the lifts and how to raise the alarm. You don’t ask them to fight the fire, so don’t expect your employees to fight this one either.

Keep your plan simple, who do your employees contact to raise the issue and how do they protect themselves. Leave the firefighting to the professionals so that no one gets burned.

The 3-step plan

1 What do people do in the instance of a breach

2 Who do they contact

3 How do they contact them

#3 We’re only human  

The three most common cyberattacks are really just attacks on human emotions. Most scams play on familiarity, urgency or desire.

Familiarity scams typically look like a bank, the HMRC or eBay, asking people to click a link or validate a purchase. Urgency includes scams such as emails from a boss asking employees to buy gift cards or suppliers asking to pay an invoice. Finally, the ‘too good to be true’ desire emails- diet pills, enlargements, reductions (you know the sort of thing).

The point to remember here is that most people are fallible and will have at one point in their life been scammed out of something, had a momentary lapse in judgement or just been downright distracted. We are human- so create a procedure that allows people to admit their mistakes without shame, embarrassment or making it too public.

Supporting colleagues with cyber attacks

1 Ensure that all colleagues set up two-factor authentication on any available sites.

2 Have a clear policy on which websites are out of bounds at work.

3 Create an easy-to-follow and shame-free escalation process.

#4 Sharing is not necessarily caring

An essential part of any cyber training must include the dangers of shared networks. Eavesdropping, credential capturing and free wifi networks all pose potential problems to your employees.

Little and often is the only way forward with this. Why not engage your employees with a ‘one bite cybersecurity’ email which contains ONE thing your employees can do to keep themselves safe a week?

(And a word to the wise; please get non-tech people to write this content so that it’s more entertainment than anaesthesia).

The Little and Often Golden Rules

1 Make the content bitesize.

2 Make it actionable.

3 Make it easy to understand and fun! Fun is the secret sauce that keeps people coming back for more.

#5 Working from home/coffee shop/bed/man cave/

We knew we would get here eventually. Just like the unchartered territory of dress code/ kids/dogs/cats/spouses on the zoom call, there is also a whole new world to consider for cybersecurity.

Working-from-home policies need to be easy to follow and easily understood by all. Make and keep it simple. Give employees clear guidance on what they can and can’t do on your equipment and what control, if any, you have on their personal devices. And of course, remind them that there are rules for people who live in the house (but don’t work for you) on what networks they can access.

The 3-Step Safeguard for WFH

  • Consider a ‘Quick Start’ guide to using personal/work devices at home.
  • Supply top family-based tips for staying safe online (an opportunity to teach others as I mentioned way back at the beginning).
  • Install valid software and update it often.

Cybersecurity doesn’t have to be boring. By keeping it simple, cutting it down into bitesize pieces and making it employee-focused, you will educate, inform and inspire people to protect themselves- and by default, your business online.

Ian Murphy
Ian Murphy
CEO at CyberOff | + posts

Founder and CEO at CyberOff, Ian’s goal is to make cyber security awareness fun, interesting, accessible, and engaging. Ian is a veteran in the cybersecurity industry with over 30 years of experience. Now, Ian focuses much of his energy into his security awareness company, CyberOff. CyberOff specialises in delivering security training in a memorable and entertaining way.