IT SECURITY TRAINING

Your company’s IT services represent your primary security endpoints. As more business processes
fall under the purview of IT services and operations, the more valuable IT security becomes to your
business.

Unfortunately, hackers and other external IT security threats recognize the value of your company’s
IT services.

With malicious, external cyber threats looming, your company needs to be prepared for IT security
attacks both externally and internally.

It’s crucial for your company to remember that your employees represent a significant part of your
security apparatus. Depending on the circumstance, your employees can either serve as a security
asset or liability.

To strengthen your company’s IT security, you need to use human resources to format a strategy to
invest company resources toward educating and preparing your employees for an increasingly severe
IT security landscape.

This article examines the current state of IT security awareness among employees and outlines how
human resources can help educate employees to become security assets, rather than liabilities, for
your company.

Current State of Employee IT Security Awareness

Employees currently struggle to recognize IT security threats to their companies.

In fact, employees do not consider IT services as the most vulnerable area of their companies. Rather,
they identify physical theft of property as the biggest threat to company security, rather according to
recent research from Clutch.

In addition, employees at all levels lack a comprehensive understanding of their companies' IT security
policies. Recent research from Cyber Ark determined that nearly half of employees are not fully aware
of their company’s policy, including one-third of company decision-makers.

What Can HR Do to Encourage Employee IT Security Awareness?

Each one of your employees needs to understand the importance of your company’s IT services.

**The best way to encourage IT security awareness among your employees is to establish strong
compliance training programs for all employees**.

Many businesses have IT security compliance training and requirements in place, but often fail to
actually connect with employees about the aspects of security policy, or security threats, they struggle
with.
For example, low-effort policy entails sending out periodic emails that remind employees to update
security software, passwords, or require them to acknowledge security policy. While these efforts are
better than nothing, they make very little actual impact.

This is where HR needs to step in. Human resource needs to work with company IT to ensure that
your company’s policy and compliance are communicated to employees in a consistent and effective
manner.

In particular, policy compliance training and updates need to be included as part of employee
onboarding. Each employee, regardless of position, should be introduced to your IT security policy
during onboarding.

Your security onboarding program should cover three areas in particular:

1. Details of policy: The areas of the business that your IT security policy covers (i.e., required
software, password requirements, points of contact)
2. Compliance training: How to follow company IT security policy and security best practices.
This training needs to include how to respond in the case of a cybersecurity breach.
3. Threats to IT services: Outstanding threats to your company’s IT services and security, and
how to protect against them. Your company should also discuss security incidents of the past
to give insight on how they were handled and reflect on how to handle such incidents in the
future.

These areas of focus are not exclusive to new employees. Compliance training and security updates
should continue on a consistent basis to maintain an educated employee base.

Be Creative About Encouraging IT Security Awareness

Human resource needs to be creative about how they can encourage IT security awareness and policy
compliance.

Incentivizing employee interaction with security policy is one approach for your company to experiment
with to motivate employees to engage and understand IT security.

One example of how to incentivize IT security is through running email phishing tests. For example,
you can send out a test phishing email, and those employees that properly identify and report it are
given a small prize like a gift card or an added hour of PTO.

**The possibility of incentives fully engages employees in your security operations, since they have a
personal stake in secure behavior**.

Invest in Your Employees to Strengthen IT Security

If your employees are educated about policy and compliance best practices, they represent assets to
your company’s IT security.

Currently, though, employees struggle to understand their companies' IT security policies and
compliance. As a result, they represent security liabilities to their companies.

To curb this issue, human resources needs to collaborate with IT to encourage active employee
engagement with the security policy through creative solutions like incentives for policy compliance.