KANSAS CITY, Mo.—Thaddius Intravaia lost 42 days of his life to a cyberattack. Weekends and holidays, too. That's how long it took for him to manually examine the years of email data stowed in the inbox of a co-op staffer who clicked on a malicious link.

Intravaia, the IT director for Southwestern Electric Cooperative in Greenville, Illinois, sees it this way: “It's my fault. I didn't make sure they knew they shouldn't have done that."

The co-op had cybersecurity policies in place to warn of suspicious links and to encourage timely disposal of emails, especially those who work with personally identifiable information, he told attendees at NRECA's Co-op Cyber Tech earlier this month. But what was missing was employee buy-in.

“Users don't see the relevance of what we do day in, day out," he said.

Intravaia said he gets it—people are creatures of habit and don't like change, especially when they've been at the same job for many years and may not see the reward for taking extra steps for cybersecurity. But the stakes of a data breach are high.

In addition to the hours required for Intravaia to determine the depth of the attack, the co-op faced consultant fees, attorney fees, remediation costs, a tarnished reputation and the loss of members' confidence.

Breaking down resistance to cybersecurity procedures requires 100% buy-in starting at the top, no exceptions, he said. Helping CEOs understand the risks of a breach and the financial cost of a long shutdown due to a cyberattack can demonstrate what's at stake.

“Make it relatable to them," he said. “Help them see we what we see."

It also helps to engage all employees in conversations about the importance of “digital safety," or “cyber safety," because they understand safety is the co-op's main concern and their responsibility, too, he said. “When we say 'security,' people think, 'It's your problem, IT.'"

Learn users' “pain points," such as multifactor authentication, work through it with them and keep communications open. “Let them know they are being heard," he said.

When it comes to training staff in cybersecurity, Intravaia said he follows four rules to build their commitment:

  • First, know your audience and make cybersecurity procedures relevant to them. Your approach will shift from member relations representatives to human resources staff to engineers.

  • Focus on the behavior you want to fix and how that staffer's position plays a role in a strong cybersecurity defense, such as being aware of payroll phishing emails.

  • Find time to insert training sessions or updates. This could include during monthly co-op meetings, one-on-one sessions or even observing staff to see how they apply cybersecurity.

  • Consider ways to keep users attentive to cybersecurity and how to measure success or where more training is required.

“Lots of times our users feel like they're being ignored," Intravaia said. “The most critical thing that resonates with them is a sense of inclusion."

He said he's noticed a positive culture shift since involving staffers in conversations about cybersecurity, how to follow the procedures and why the procedures are important.

“Before it was always pitchforks," Intravaia said. “We still have outliers who grumble, but now they do it and grumble."

View NRECA's summary of resources and engagement opportunities to gain understanding of cyberthreats to our industry and take steps to advance cybersecurity preparedness.