Enterprise security is not always top of mind for employees—but it should be. An educated employee is the first line of defense against security breaches. In a large, multinational company like Microsoft, our best protection strategy is to partner with our employees, arm them with knowledge and empower them to live a secure lifestyle, at work and home. Here are some tips on how we keep our employees informed to practice good security behaviors.
1. Have a dedicated Education and Awareness (E&A) program and budget. Investing in people and resources to proactively and consistently deliver security education and awareness is one of the best ways to protect against vulnerabilities at the enterprise level. Start by defining a plan that ensures security E&A is integrated early in the business operational lifecycle and consider committing a budget to help drive a security and protection mindset across the organization.
2. Develop a communications strategy. At Microsoft, we’re very intentional about the type and frequency of employee communications that are sent out from our E&A team. To ensure key security messages land effectively, we think about which channels are best to share a communication. For security-related alerts that require employee action, we found email to be the best method. For general awareness and reminders, digital signage around buildings and informal mentions at all-hands meetings work well. One thing to keep in mind is the importance of having consistent branding around every communication. From visuals to tone and manner, creating branded templates can help your employees recognize the communication and make an instant connection to security. It also tells a consistent story.
3. Tell employees a story. Or two. Speaking of stories, Microsoft is big on storytelling, so we continually leverage this powerful tool to drive key messages across the organization. Using basic storytelling techniques to tell employees about a new security policy or initiative can help keep enterprise security top of mind for your employees. Have a clear objective of what you want your employees to learn and present the story in a way that is meaningful and memorable.
4. Surprise and delight. Even with a limited budget, organizations can get creative with security marketing. Think about ways you can include compelling visuals for storytelling or drive an incentives program where employees that participate in campaigns get recognized for their efforts. The more fun and positivity you drive around security awareness and education, the more employees will organically tune in to the topic.
5. Foster a “no shaming” environment. Cyber attackers will never stop targeting employees. Beyond awareness and education, it’s important to create a workplace environment where employees feel comfortable sharing potential vulnerabilities they encounter so they can be guided on the next steps, like reporting the incident. People don’t want to get into trouble or lose their jobs over becoming victims of an attack. Reinforcing that the organization is partnering with them, not turning against them, with help solidify the stand against the real enemies.
6. Make a habit out of security. Most companies, if not all, provide regular enterprise security training for their employees at least once per year. But beyond basic education, it’d be ideal if enterprise security became a habit for employees—not a check off their corporate compliance list. How can a company help employees build this habit? By giving them authority. Empowering employees to take charge of enterprise security within their own space lets them “practice security” on a daily basis, eventually becoming second nature to them. For example, you can integrate security tools into daily tasks. At Microsoft, we practice information protection of email by making it easy for employees to properly identify data classification types, then with one easy click, apply protection that encrypts the data. These are simple operational models that don’t take a lot of time but effectively encourage employees to take daily ownership of security practices to help prevent a data breach.
7. Build an army of champions. Your employees don’t have to be “techy” or a “security guru” to champion around enterprise security. If you’re driving the right message (through captivating storytelling) and add in a couple of worthwhile incentives, you have yourself a potential army of security champions. In a large company such as ours, security champions serve as a voice of influence that help us drive awareness, accelerate consumption and create feedback loops so we can better understand how enterprise security education is landing across the organization. Our champions have received credits towards their professional industry security certifications—A nice notch on their resume and a growing population of security subject matter experts at Microsoft. Win-win.
8. Measure success and close the loop. Did employees actually learn something from that last security communication? Are incidents in phishing trending downward because we delivered training on this particular subject? These are questions that should be asked time and time again in order to mature the E&A program and turn employee feedback into actionable items for efficacy and improvements. Partnering with your employees to understand if they truly grasp the “why” of security is also important. Leverage internal social tools like Yammer or Microsoft Teams to informally engage with employees and gain additional insights on program success.
9. Explain vectors and trends. Harnessing the latest cybersecurity headlines and news roundup to educate employees on attack vectors can make a great difference when it comes to disabling hackers from exploiting vulnerabilities. Because attack vectors are not “one size fits all”, it’s important to explain to employees which attack vectors create the most vulnerability within your industry and organization.
10. Turn workplace security into a lifestyle. Lastly, education and awareness is not just about protecting the enterprise but also the extended community. Encouraging employees to share their learnings, stories and insights with family members, friends and neighbors will create public awareness and help enable a more secure environment for everyone.
Your employees can be your strongest security asset or greatest vulnerability. Educate, empower and partner with them to help reduce vulnerabilities and build a secure enterprise.
Learn how Microsoft uses threat intelligence to protect, detect, and respond to threats, Azure Information Protection to classify and label corporate data and Office 365 to help secure the enterprise from modern phishing campaigns.