SMB Cyber Security Compliance: Four Proven Tactics to Change Behaviour


Photo by Josue Valencia

Photo by Josue Valencia


We’re all aware of cybercrime and the risks it holds to us and our businesses – but does this awareness change our behaviour? An article by Stanford Social Innovation Review suggests that it does not, and that to believe changes in our awareness automatically produce changes in our behaviour is flawed.

What does this mean for corporate cybersecurity training? With 95% of cyberattacks beginning with a phishing email, your staff are your first line of defense against cyber criminals. Your teams ability to identify and report on suspicious cyber activity can help reduce the likelihood of significant financial loss. SMBs are faced with the same threats as large corporations, but must defend against attacks with fewer resources.

Four Proven Tactics for Cyber Security Compliance

So instead of spending on an awareness campaign, here are four proven methods to encourage employee compliance with cyber security:

  1. Incorporate Cyber Security into Your HR Onboarding Process

    Cybercriminals target the weakest link — humans; using simple, yet effective social engineering. In the context of information technology, social engineering means the psychological manipulation of people to capture confidential information. Cyber criminals use emotional motivators — fear, urgency and curiosity are on the top of the list when it comes to successful cyberattacks — to craft emails that entice clicks. Cyberattacks, for example, become more prevalent and successful during a change of company leadership. Staff are anxious to impress their new boss, so when asked to send a wire transfer or forward an attachment, they may feel scared to object or question what’s being asked of them.

    For new employees, these emotional motivators are especially high – they're keen to impress, scared to mess up, and in a state of general exploration at the beginning of a new job. During new employee onboarding, appoint a cyber security champion to provide basic training on common topics such as identifying an email phishing attempt or what to do if they feel they have been compromised by a cyber attack. Provide training material with steps that employees should take to take when they feel they’ve been targeted.

  2. Train Regularly

    Staring at a cyber security video for 45 minutes isn’t going to change anyone’s behaviour. Try to leverage training material that is short, interactive, and easily accessible. One great opportunity for learning lies in periodic Email Phishing Simulation Tests.  In these tests, employees are presented with a fake email phishing attempt.  If they take any action other than reporting the email (the correct action) they will be prompted with a ~30 second training moment. By capturing a person right at the point of having made an error, they are more receptive to learning. This is proven to improve the rate at which employees report phishing emails.

  3. Use Positive Reinforcement

    Relying on punitive consequences to deter negative behavior will only hurt your cyber awareness efforts.  When used in conjunction with training, positive reinforcement can help produce the right behaviours for your team. There are two variations of positive reinforcement that are commonly used to encourage cyber security compliance: gamification and rewards.

    Gamification leverages the positive and exciting aspects of a game, applying it to things that may not be considered as exciting, such as cyber security training. By creating points and developing a “game” around compliance, you can foster team work and encourage cyber compliance. For example, every time one of your team member’s reports a phishing email, their team would get 20 points. This can be done for individuals, but is often more successful when done in teams, where social influence drives participation and, ultimately, a “win” for those participating and for the business.

    Alternatively, a reward could encompass any number of things depending on your company culture and what your team values. For instance, small incentives such as a coffee or a treat may be valued by some people, whereas others might prefer a team movie night or an extra 10 minutes off on a Friday. The important thing is to consider what your team would really see as valuable, otherwise, the rewards could be a waste and fail to reinforce compliance behaviours.

    Positive reinforcement promotes positive change.  Investing in a game or a rewards system is a preventative measure that will far outweigh the cost of recovering from even a minor cyber breach.

  4. Be Transparent

    Let your employees know when there has been a breach. In the case of a phishing email, this is an important measure to stop the attack in its tracks. This also provides a relevant training opportunity for staff. One idea may be to send a phishing test with an email almost identical to the successful attack, that way you can use a real-life example to train the correct responses.

    Perimeter security services, like a spam filtering system, can do a good job keeping bad emails out of your inbox, but its not flawless - harmful emails still get through and human failure is still the leading cause of cyber breaches. Understanding the motivations behind why people click on phishing emails can help you to identify testing and training opportunities for staff. Focus less on just raising awareness and consider how you can elicit real change in behaviour to protect your business.

Need help implementing an IT security program that accounts for human error? IT Directorship works within SMBs to both implement and audit cyber security controls, as well as regularly train staff. When your staff are equipped to identify cyber risks, you can protect your business.