Cybersecurity is top of mind among North Carolina employers, with leaders assessing best practices for how to engage workers in keeping the company safe.
Strategies range from multi-factor authentication to anti-malware programs to zero trust. Many companies, including Charlotte's Brighthouse Financial Inc. (NASDAQ: BHF), are implementing security championship programs where employees can answer questions and encourage secure practices among their colleagues. These advocates, often in non-technical roles, help connect regular employees with a company's technology experts.
Brighthouse will consider potential awards for those employees and ensure there are backup teams to support them, said Devon Arendosh, chief information security officer at Brighthouse.
"It's an extension of more education," Arendosh said. "I think if they understand the concept behind why we're doing something, it will work a lot better."
Arendosh was one of several panelists at the NC TECH Association's Outlook for Tech event in Charlotte today. Her panel group, focused on cybersecurity, also included Donna Hart, CISO at Ally Financial Inc. (NYSE: ALLY), Chuck Kesler, CISO at Pendo, and Ryan Schwiebert, chief information officer at Wake Technical Community College.
Hart said cybersecurity is one of Ally's top-10 focus areas, with support from executive leadership. Detroit-based Ally and Brighthouse must operate in the heavily regulated financial-services environment.
At Ally, there are consequences if employees fail phishing tests too many times. Those consequences typically involve more training and also reporting incidents to leadership, Hart said. It is common for companies to take a punitive approach to cybersecurity. That tactic works. Ally maintains a failure rate below 5% most of the time, she said.
Kesler said Pendo tries not to take a punitive approach, instead working to empower employees to report problems. Cybersecurity can quickly turn into an issue of cognitive overload for workers. He said younger generations are usually better at spotting phishing attempts, for example, because they are more familiar with what that looks like.
Still, people will fall for a false link to pets' Halloween costumes, Hart said. She compared phishing to allowing strangers into one's home.
"You also want to be able to limit the blast radius if something bad does happen," Kesler said. "The bottom line is, whether it's 5%, 20% or 30%, people are going to click on phishing messages. I have seen a shift in mentality towards, 'OK, we have to accept some of this is going to happen, so let's make sure we have the appropriate controls in place.'"
Pendo, especially in a work-from-home setup, treats every laptop as if it is in a hostile environment, Kesler said. Home networks can be some of the most hostile, he noted.
Schwiebert at Wake Tech said making cybersecurity more personal is another way to drive engagement. Employees pay more attention if a breach could affect their individual accounts, rather than just the organization as a whole. Educational systems tend to be a high target for security breaches, he said. Raleigh-based Wake Tech is a large organization with roughly 70,000 students and 4,000 employees. Schwiebert said it is also beneficial to recheck whether employees actually need access to the technology.
