Why Your Cyber Threat Communications Aren’t Working and What to Do About It | Op-Ed

By
ROI-NJ Staff
-

More than 90 percent of successful cyberattacks begin with a phishing email, according to the Cybersecurity & Infrastructure Security Agency (CISA). 

Yet even in organizations with regular cybersecurity training, phishing attempts go undetected. Why? Because often, these communications frame cybersecurity as a threat to the company – not as a threat to the employee. 

If leadership centers cybersecurity discussions around protecting company assets and proprietary data, employees are more likely to tune the message out. These concepts can feel abstract, distant, or immaterial in comparison with the other tasks at hand to keep daily operations running smoothly.  

But if leadership can show employees that cyber threats are personal – that hackers are targeting their families, bank accounts, and reputations – they are more likely to take the matter seriously. Suddenly, good cyber hygiene isn’t just a box to check, but a way to protect loved ones. 

Here’s how you can reshape your communications to help ensure cybersecurity remains a meaningful priority for all within your organization. 

  1. Make the information personal. Facts and figures are helpful, but stories stick. Share real-world examples of phishing scams that have impacted individuals, not just organizations. If possible, share an example of when you or a loved one came across a sophisticated scam that could have started with a single click. Remember, your supervisor is highly unlikely to ask you to purchase gift cards and share the redemption code via email.
  2. Show don’t just tell. Phishing emails can be subtle. Use visual examples to walk employees through what red flags look like, such as suspicious or mismatched email addresses, urgent language, unexpected attachments, or simple misspellings the individual would typically not make if the email were real.  
  3. Tailor the messaging to individual departments or job functions. Cyber threat formats are likely to differ across departments, and so should your internal communications about vigilance. For example, the finance department may be targeted with fraudulent invoices, while the HR team may receive fake job applications containing malware. When employees understand how phishing threats relate directly to their roles, their motivation to stay alert will likely increase.
  4. Create a culture of caution, not fear. Cultivate a workplace environment that values thoughtfulness over speed, or your efforts to warn employees of phishing attempts may backfire. Encourage employees to report anything suspicious and celebrate when they do. Make it clear that no one will be punished for reporting a false alarm. The goal is not perfection, but vigilance.
  5. Offer immediate, easy actionable next steps. Empower your team with simple, actionable tools moving forward. Promote the use of multi-factor authentication as an added measure of protection, and provide staff with clear instructions for escalating suspicious emails to IT. It’s also helpful to remind staff to verify odd requests in person or by phone. 
  6. Develop a crisis communications plan proactively. Crisis communications professionals regularly prepare organizations for a number of crises that could arise at any given time, including cyberattacks. Being prepared for successful phishing attempts before they occur can help ensure the organization’s initial response to the matter is not a misstep. This will also allow the organization to shore up its escalation protocols, ensuring that all staff who answer phones know how to contact leadership, should any media inquire about the cyberattack. 

When employees feel that cybersecurity is about protecting them, they’ll be more likely to care, engage, act, and protect the organization when it really counts. By reframing the message and offering meaningful, role-specific guidance, organizations can build a workforce that’s both aware of threats and actively working to stop them from occurring.

Allison McGeever is account director at Kessler PR Group, the region’s go-to crisis communications firm.

The opinions expressed in this op-ed are those of the author and do not necessarily reflect the views of ROI-NJ.