How to Social Engineer Your Team for Dedicated Cybersecurity
Modern businesses are now aware that employee participation is essential for cybersecurity. No matter how good your firewall and security procedures are, your company system can only protect each person and computer to the extent that they keep the security doors shut. If an employee answers one phishing email or opens one malicious link, they could put your entire secured business network at risk.
Because employees know this, the biggest risk is social engineering. A social engineering hack occurs when a hacker tricks employees by using social tricks. They might pose as a coworker or relative in order to get answers or trick an employee into clicking a malicious link. Employees must be trained to identify and resist social engineering hacks. But what’s really interesting is that social engineering can be used the other way as well; to your benefit.
Social Engineering for Cybersecurity
One of the biggest challenges with security training is getting everyone to remember and commit to the methods learned. It only takes one mistake for your business network to be breached, and most people stop bothering with the more tedious cybersecurity measures within a day of being reminded. So how do you improve security among your employees? The same way hackers slip through the defenses: Social engineering.
What we’ve learned from hackers’ past victories is that social engineering works. People will change their patterns and are motivated to take action when social pressure is involved. So instead of focusing on “stopping bad behavior”, focus on building a culture of supportive cybersecurity. The more company culture and social force you put behind security in the workplace, the harder your team will work to uphold the security standards in everything they do. Here are more than a few tips on how to make that happen:
Make Security Training Fun and Honest
The very first step is your cybersecurity training. Make it engaging, interactive, and fun. This set of lessons for new and onboarding employees shouldn’t be a drag, it should be interesting. Be honest about why the training exists and use real stats and stories to get their attention. Mention famous security breaches and the real damages done. Mention big brands that have been breached and the known human vectors that allowed those breaches.
Get your employees involved in the learning, and make sure cybersecurity training is an enjoyable experience with practice for each lesson learned. This will make it all more likely to stick.
Get the Execs and IT Publicly On-Board
When a company takes on a new set of policies, execs are often seen as standing aloof and exempt. But this sets a bad precedent for changing your company culture. Instead, use your execs as figureheads for the movement toward everyday cybersecurity. Make a show of the execs taking the classes and implementing the changes. Get the IT team involved, too. This shows that everyone is taking part, and that even IT doesn’t consider themselves too advanced for everyday security measures.
When execs and IT are onboard, it becomes apparent that the whole company is changing. Not just new policies for the middle and lower ranks. Your entire team will be more excited about the changes if they’re something the entire company is doing.
Support an “Us vs Them” Attitude Between Employees and Hackers
Normally, you try to avoid an ‘us vs them’ mentality, but this case is different. One of the best ways to get your people involved is to turn cybersecurity into a sports rivalry. Your team, the corporate professionals, are defending company secrets and customer privacy from their team, the intruding hackers.
Get your team excited about facing down the hackers, showing the hackers who’s boss. Every phishing email they field to IT instead of opening is denying the enemy team a goal. Every scammer they flag is scoring a goal on the other team. You can celebrate like a team and enjoy a healthy Us vs Them attitude where everyone contributes to beating the enemy hackers.
Offer Rewards for Catching Hacking Attempts
Rewards are uniquely powerful for workplace social engineering. When you openly reward someone for a job well-done, others seek to achieve the same heights for the same reward. This exemplifies what is important in the workplace. So, naturally, rewarding caught hacking attempts is a great way to influence your workforce to try and catch more.
Consider a standard celebration, congratulations, or honored presentation for those who report phishing emails rather than falling for them. Or you might put out a standard ‘bounty’ in quarterly bonuses for the most cyber-vigilant employees who catch incoming hacker attempts. Rewards are a wonderful way to build a positive culture of vigilance and anti-hacker teamwork.
Emphasize Shared Responsibility for “Keeping Doors Shut”
It can also help to reframe the idea of cyber security. Many companies take a ‘responsibility’ standpoint when emphasizing cyber-vigilance to employees. But this often winds up with a negative angle: “Employees cause data breaches, don’t be the cause of a data breach”.
Instead, take the negative spin off the conversation and talk about keeping the doors shut. Mention that the company has great security infrastructure, but a house is only as safe as its closed and locked doors. Encourage everyone to help “keep the doors shut” by performing practical cybersecurity measures. Log out of workstations, screen-lock their phones, and use complex passwords. By avoiding malicious clicks and idle logins, your team can help the whole company take advantage of the solid security infrastructure keeping you safe.
Host Creative Password Challenges
Speaking of complex passwords, not everyone knows how to make a good password. In fact, most people don’t. A great way to help your employees maintain company cybersecurity is to turn password creation into the game. People far more easily remember the rules of a game than they do password creation tips.
Use a meeting or training session to introduce the acronym password: a password made from a funny acronym with a few replacements for numbers and symbols. Challenge the team to practice making acronym passwords and reward the most creative and complex password-writers. Then encourage everyone to make a new, original acronym password for their workstations and mobile devices.
The occasional repeat password challenge keeps strong passwords as a value that employees will encourage each other to uphold. If only so their team can win the next password challenge.
Quiz Security Policies at Meetings
You can also enhance the memory and use of security measures by quizzing on them during meetings. Every few meetings, as a few pop-questions about security aimed at random team members. What do you do if an email asks you to download a file? What is the right response if you get a log in alert when you haven’t logged in? Should you connect to a guest wifi network when on a business trip?
The answers to these questions are both important and quickly given. Pop quizzes can, in the right group, be seen as fun and a good way to help everyone remember the most relevant security measures for their team.
Stage Cybersecurity Drills
It’s great when your team is ready to catch a hacker, but what if months go by with no activity to catch? Rather than allowing your team to grow bored and inattentive, challenge and reward them with cybersecurity drills. Invite your IT team (who will love this game) to play the hackers and stage phishing emails and other signs of threats for your employees to spot.
Announce that there will be drills, but not when or in what form. This will keep everyone on their toes and the security-defense rewards flowing.
Reward Employees for Taking Extra Security Measures
Every now and then, do a security audit. If you find that some employees have taken extra measures like encrypting their work phone or customizing their email security settings, hand out rewards. Make it clear that employees who take an active interest in security and who go that extra mile will be recognized. Nothing solidifies a pro-security company culture like unexpected rewards.
Celebrate Each Year Breach-Free
Finally, make breach-free years something for the whole team to celebrate. Each year your company makes it without a data breach, have a special party dedicated to the success. Emphasize that you never know which phishing email your team repelled might have been the malware to sink the company, and it didn’t. Congratulate everyone who pitched in and thank the whole team for maintaining your high standard of cybersecurity. For more fantastic security tips and insights, contact us today!