"Never underestimate your employees' digital skill, at most underestimate how poorly we sometimes explain it to them." There is a persistent image that employees are digitally clumsy and therefore pose the biggest risk. But that image is often wrong. Most people are surprisingly digitally skilled in their private lives.
The real problem: we underestimate people
People manage their banking via an app, recognise a fake webshop, pay with their phone, manage passwords, and see through most scams in their private lives effortlessly. Yet we treat those same people at work as if they understand nothing. We give them simplistic training, patronising messages and rules without explanation.
And then we are surprised that they disengage. But disengaging is a logical reaction to being underestimated. Someone treated like a child does not behave like an engaged professional. The fault then lies not with the employee, but with the way we communicate.
Treat people as the professionals they are
When you take employees seriously, everything changes. Give them explanation instead of rules. Tell the why behind a measure, not just the what. Connect to what they can already do in their private lives, and build on that.
An employee who effortlessly recognises a suspicious payment request at home can do that at work too, provided you make the translation. "You know how to recognise a fake text from a delivery service? At work phishing works exactly the same." Suddenly security is no longer a new, scary topic, but an extension of something they already master.
This approach works because it gives confidence instead of taking it away. People feel competent, and competent people take responsibility. They become your allies instead of your risk.
From risk to strength
The biggest thinking error in security is seeing employees as the weakest link. In reality they are your biggest opportunity. Thousands of eyes and ears that can notice anomalies, report suspicious messages, and hold each other to account, provided you enable them to.
That starts with respect for what they can already do. Stop with the assumption that people do not understand it, and start with the question of how to connect to what they already know. Then you discover that the "weakest link" can actually be your strongest line of defence.
Related articles
FAQ
Are older employees less digitally skilled?
Less than assumed. Age predicts skill poorly; motivation and context predict it far better. Many over-60s bank and pay digitally.
How do you connect to private skill?
Use private analogies: 'like recognising a fake delivery text at home'. Translate work risks into recognisable private situations.
What if someone really is digitally clumsy?
Offer targeted extra support, without patronising the whole group. Differentiate instead of levelling down to the lowest.
How do you change the 'weakest link' narrative?
Celebrate reports and improvements visibly. Make people the heroes of security stories, not the culprits.