Your organization’s employees are required once a year to complete some form of cybersecurity training, which might include a short online course, training videos and a test to wrap it all up.
Whether that model of training is adequate in today’s cyber climate is another question, but what if employees aren’t even taking that rudimentary training seriously?
Cyberattacks are escalating in frequency and sophistication and with ransomware running rampant. According to a recent report from SonicWall, ransomware attacks have increased 151% over the first half of 2021.
There are several things you can do from a leadership, technical and human resources perspective.
Enlist executives and/or managers to ensure compliance
The best method to achieve organization-wide buy in is to enlist help from the top. Depending on the size of the company, urging each and every end user to comply with your cybersecurity policies and finish the training you chose for the organization may be too much to ask for the IT department.
Consider instead leading on company leaders who can help spread your message and demand that their employees complete the training and become cyber aware. This should start with business executives who are aware of the costs associated with recovering from a cyberattack, but IT admins should also consider enlisting the help of the HR department who can help make this a priority, much like harassment or OSHA compliance.
Report noncompliance to leadership
Once you have buy in from leadership on the importance of cybersecurity awareness, they’ll be more willing to back you on your preferred method of discipline for not completing the training. Or, they’ll impose their own punishment.
You can send regular compliance reports to executives or managers that details who did or did not complete the training. Instead of the rarely seen IT administrator, the employees’ direct supervisor is the one threatening disciplinary action.
Restrict access until training is completed
Unfortunately, there may still be employees who are either ignorant to the threats lurking in cyberspace or don’t feel that cybersecurity applies to them. Of course, they are wrong.
If employees still don’t comply after several email warnings to complete the training, disable their access to email or other applications until they complete the training. Until the user completes the training and is made aware of new IT security threats, their use of company networks is a liability.
This is a drastic step, and one that you’ll need the support of leadership and HR to implement.