Today, nearly every business relies on stable, secure IT operations, so cyber risks deserve the same attention as other types of risk. Top executives understand this: The World Economic Forum’s 2018 Global Risk Report, states that most influencers consider cyber attacks and intrusions, resulting in data theft or fraud, as major threats to their businesses.
Implementing a robust cybersecurity strategy, involves understanding the source of intrusions. The 2018 Verizon report on data breach analysis, reveals that employees with legitimate access rights are the second most common cause of privacy breaches. The root cause can be either human error or an attack, as hackers often look for the soft underbelly, such as trusted employees.
Therefore, reducing cyber risk must include creating a culture that values cyber security. To do this, the mindset of all employees must change. In this post, I will explain four key steps to take to begin building a strong security culture within your organization.
What is a cybersecurity culture?
Security culture is a facet of the broader corporate culture, which encourages employees to make decisions, and perform their daily tasks in accordance with company security policies. By embedding security best practices into employees’ daily activities, you can mitigate cyber risks, and improve compliance with the most stringent regulations – the GDPR, for example.
It’s worth noting that a culture of security is more than just security awareness. As the CLTRe explains in its 2017 Security Culture Report awareness is a narrower concept – it implies that users know about safety procedures, but does not necessarily mean that they follow them. A culture of safety, however, is a healthy mix of awareness and follow-through.
Let me share some tips that will help you increase security awareness and, moreover, create a strong cybersecurity culture within your organization.
Tip #1. Use leadership-driven cyber governance
Since all major changes in a company start at the senior management level, it’s critical to ensure that the executive team is interested in actively governing and nurturing cybersecurity, and is willing to communicate it to the rest of the company as a company-wide issue and cultural priority.
To get buy-in from senior management, I recommend regular meetings between C-level executives and the company’s IT security manager. The person responsible for info security should report on cybersecurity issues, such as how the company is using existing technology to mitigate threats, and how the company will benefit from further investments in information security. IT teams can no longer afford to remain isolated; they need to explain to senior executives why security is important to the company and advise them on how to improve the company’s security culture.
Middle managers also play an important role in safety culture because they work directly with employees, and can show them how to behave in a safety-eccentric manner. First, managers should lead by example and not violate the security policy themselves. If a manager copies sensitive files to a USB drive and takes them home, staff are likely to think “Why not?” and do the same. Second, managers need to take the initiative to explain the proper workflow, if their staff members are misbehaving, and presenting security risks to the company. They don’t need to be infosec pros to explain basic safety rules. Having these managers on board, and using their authority appropriately, will be invaluable in effecting real change.
In my experience, it is only when management commits to establishing a strong safety culture that safety-centric behavior will permeate the entire corporate culture of the company.
Tip #2. Clearly document safety policies
The safety policy is the cornerstone of the safety culture because it guides employee behavior. You should create at least two documents. The first is the formal security policy. Prepared by the IT department, and validated by all stakeholders, it specifies the rules and procedures that anyone accessing the company’s IT systems and assets must follow.
The other is an informal document created by HR managers that explains the company’s security vision, and emphasizes why adherence to security best practices is important to the growth of the company and the advancement of every employee. I also recommend detailing the consequences of not following the policy: The employee could suffer a tarnished reputation, termination, or even a lawsuit. This can be a separate document or part of an existing document, such as an employee handbook.
HR managers and hiring managers should ensure that new employees read the safety policy on their first day, and that everyone can easily refer to it at any time.
Tip #3. Train employees
Cybersecurity training may seem laborious, but it is effective in fostering a culture of security. According to The Netwrix 2017 IT Risk Report., 37 percent of respondents reported that inadequate staff training was one of the biggest barriers to implementing a more effective IT risk management strategy.
There are various types of training, from traditional PowerPoint presentations by an IT team member to more modern options. For example, some of my peers at other companies require every new hire to take a security video training that they acknowledge they received before starting work. They report that employees who complete this training rarely have problems, unlike pre-hires, who often asked for help with basic elements.
Another engaging way to foster safety-centered behavior is through role-playing. Employees review safety-related cases, and decide how to resolve certain issues in accordance with the safety policy. When writing scenarios, I suggest focusing on two or three major IT risks your company faces, whether it’s ransomware, privilege abuse, improper distribution of sensitive data or something else. Developing solid scenarios and running the games can take some time, but this type of training can be very effective because it provides a lively, hands-on setting for learning IT security concepts. Employees learn in a fun, yet practical way how to follow security policy, and try out different roles without posing a risk to the company.
Be sure to tailor the content of each training course to the employees attending. Consider their assignment and other groups, their level of responsibility, their prior knowledge, the data they have access to, and the tools they use. For example, people who do not have access to customer databases do not need training on how to handle them safely. Using examples of how employees at your company have violated policy in the past, and what happened to them, could also be effective, but don’t demonize the violators and, of course, don’t disclose any names. However, showing that cyber threats are closer than you think is a good way to encourage employees to follow security policies.
I would advise paying particular attention to social engineering. If email security solutions were a panacea, I don’t think that half a billion users worldwide would have been the target of a massive phishing attack in the first quarter of 2018. The best approach is to simulate phishing attacks from time to time, so that you can identify people who fall for malicious emails, teach them how to identify phishing and how to respond.
The frequency of training depends on your needs and the learning curve of your employees. Organizations often require employees to refresh their knowledge of security rules by taking short tests about every 3-6 months.
Tip #4. Encourage people to report incidents
A company is like a community in that employees can contribute to its prosperity by being socially responsible. To foster safety responsibility, management should encourage everyone to report not only full-fledged incidents, but also suspicious items they encounter. They should provide an easy way to do this; normally, it should be as simple as going directly to the IT department. By involving employees in reporting, you’ll be able to spot security issues faster, and be able to respond more quickly.
I also recommend encouraging managers to recognize team members who helped spot a problem, whether it’s in an email, or at a company meeting. This demonstrates to everyone else that they are encouraged to do the same, because cybersecurity is important to the company.
Implementing a strong security culture takes work, but it is definitely the best path forward. Many organizations are already working on this culture shift, because they recognize that they need to approach information security with the same level of commitment and responsibility as financial and other risks. The top-down commitment to taking individual responsibility for security will generate a strong security culture throughout the enterprise, adding a critical layer of defense, and reducing IT risk.
