As we start 2022, there are more employees than ever working from home for at least part of every week. Working remotely comes with extra risk for businesses. When out of an office environment, research shows that employees tend to become more relaxed and less aware around online security issues. Home wifi is likely to be less secure than the office, and the psychological signals that make people think more carefully – like using security passes to get into the office – aren’t there.
Cyber security attacks are becoming more frequent for companies of all sizes. In any business, your employees are the first line of defence against cyber criminals. In fact, figures suggest that around 90% of successful cyber attacks are down to human error so they need to be really engaged with the dangers that cyber criminals pose, and understand how to behave differently to protect your business – and themselves. We can do this by using behavioural psychology techniques which “nudge” employees into taking the right decisions.
Appropriate training is key
As a trained behavioural scientist and with a business background in cybersecurity and finance, I have long understood that for many people, mandatory training sessions such as those on cyber security, can be seen as a chore. People can feel like they’re being told off for not following all the rules, having a weak password or forgetting to lock their laptops when they go to the toilet. This can create embarrassment or even ‘reactance’ – from psychological Reactance Theory: if you threaten my freedom to choose I will resist – and create the opposite effect. To up their cyber game, employees have to want to take action. In other words, they have to be motivated to do the behaviours we’d like them to do, in preference to what they are doing today. When your team is motivated, they are more proactive and productive – the same is true for cyber security awareness.
Motivation is a desire to undertake a specific behaviour towards a goal. We talk of intrinsic and extrinsic motivation: the desire to do something for the enjoyment of the thing itself – intrinsic – or for the goal it achieves or leads to – extrinsic. The thing about motivation is that whilst important, it is complex and can be difficult to influence. Not only that, but motivation alone will not move people to do things. Of course you have to know what to do or how to do it, but you also have to feel that you can actually do it. You know how to lift a weight, you want to get fit, but you don’t start with a 40kg weight – 10kg? Yes, you can manage that.
So, we need to make things as easy to do as possible so that we don’t have to spend a lot of effort on motivation. Think ‘baby steps’. For example, if your gym clothes and shoes are lying by the side of your bed, ready to be put on first thing in the morning, you’re more likely to put them on and exercise. They’re already there for you – prompting you to make the right decision.
Motivation alone will not move people to do things. You have to know what to do or how to do it and feel that you can do it. And the easier it is, the more likely you are to do it.
How does it work?
As an HR professional, how do you motivate your team to pay more attention to the danger of cyberattacks? To start, make things easy and fun – or at least a little bit interesting – for them:
- Reward – the carrot is better than the stick. Instead of haranguing people about their passwords, reward people who spot a phishing email, or who report a dodgy-looking link, or an unsafe practice. Perhaps have a monthly award for the person who has either done the most to protect the business, or who reported a threat that could have been particularly nasty. Celebrate this!
- Visibility – if all your employees get in terms of cyber awareness is a monthly email reminding them to be vigilant, you’re probably not doing enough. When you’re in the office, put posters and stickers up so that your teams have a visual reminder of the importance of looking after your cyber security. For people working remotely, build it into your weekly or morning team meetings and send out a desk reminder that they can have visible at all times. And walk the talk!
- Share great content – there are some really useful cyber awareness blogs out there along with hints and tips about working safely from home. There are also some great videos about how easy it is to hack into a company’s IT systems. The more people get to see how easy it is for criminals to access your business, the more they are likely to be motivated to think and behave differently. Stories are powerful.
- Look for good practice elsewhere – what are other people in your industry doing? How can you learn from them? Can you join cyber security groups, or perhaps create an employee- run group in your business, tasked with keeping cyber security top of mind?
- Invest in some good training – most cyber security training is dull so find a programme that will grab attention and is interactive.
As the dangers of scams and cyber security breaches affect more businesses, appropriate training for employees is a vital first defence. It is all about motivating and nudging people to make the right decisions. The aim is to change behaviours and that can make a real and measurable difference to your business.