CyberSecurity is a life skill.
Many of us didn’t grow up with the Internet, so we don’t realize that it’s a lot like the bad part of town. Collectively we’re all working to make it a safer place, but until then, we need to take steps to make sure our online wallets don’t get pickpocketed.
That’s where CyberSecurity Wellness comes in.
Most of the Fortune 500 has some kind of wellness program in place. Corporations have realized that healthier employees have lower healthcare costs and they have higher productivity. They incentivize healthy habits, provide screenings for preventable illnesses, and help educate employees about incorporating changes into their lives.
Most CyberSecurity awareness programs fall short of achieving real change because they treat security education like any other once a year mandatory training. It’s boring. Employees tune out because the information isn’t personal to them. Employees don’t engage because it’s only once per year instead of ongoing. The term “awareness” itself implies that we don’t want employees to actually do anything, and that couldn’t be further from the truth.
So what would a CyberSecurity Wellness program look like?
There could be many ways for a company to implement a CyberSecurity Wellness program, just like there are many different ways to have a wellness program. First, it must fit within your corporate culture. Maybe that means it should be a part of your overall wellness program. But the program should start with some well defined goals and outcomes for what can be accomplished. And this should be a multi-year plan for how to make incremental steps toward better security.
Your program should start with an assessment of general employee wellness. Have they been the victim of identity theft? Has their Facebook account been compromised? What are their current cyber hygiene practices? Perhaps you can incorporate the results of a simulated phishing exercises or social engineering tests.
Next, you need to provide feedback. Most wellness programs offer a customized score that helps the users themselves understand what they may need to work on. Department heads should receive aggregate scores for their areas so that they can understand their employee risk profile.
Your education programs can then be custom tailored to meet each employees needs and prioritized based on where each employee is at. Some wellness programs offer challenges to help create engagement with the program. Your company can offer webinars or brown bag sessions, whatever is most suited to your culture.
Finally, the program should be evaluated. Did the company experience any incidents? How did the program impact that incident? Did the program achieve the defined goals or outcomes? Can you tie back to reduction of insurance premiums or other savings to show a return on your investment? Finally, employees who participate in the program should be recognized in an annual event that ties back to learning efforts.
CyberSecurity isn’t something that you will improve simply by offering the same 30 minute course year after year. In a University setting, you start with 101 classes, then progress to 202, or 303. Your CyberSecurity program should take this into account to help build a community of employees who practice good security both at work as well as at home.