Businesses can’t just buy a bunch of security products, and think that they’re protected from cyberattacks. Security involves more than that including strategy, education, and training. TechRepublic talked with Secure Anchor CEO Eric Cole to discuss how employers can teach cybersecurity best practices to their employees.

“There’s a lot of different awareness programs where people get phishing emails and if they click they get penalized,” Cole said. “What I found, and I was sort of shocked of how effective this is, make security a KPI. A key performance indicator, not only for individuals but managers.”

If employees get penalized for their actions like using poor judgement when clicking links, they become much more aware and careful of what they do from a cybersecurity standpoint. “I’m not usually a big fan of penalizing, but KPI-based security metrics has had a huge, huge positive impact on all my clients,” he said.

To keep important information secure, companies need to make sure their servers that are accessible to the internet don’t contain critical data. Over the past 12 months, the companies that were hit by cyberattacks should have asked themselves “Do we have any servers accessible from the internet that contains critical data?” and many of those breaches could have been prevented, Cole said.

“It’s taking a data centric approach to security, and not relying just on buying technology to be protected,” he added.

Also see