The number of cyber threats on businesses is mounting and only expected to amplify in the coming years. Today, cybersecurity is a critical component of an organizational business plan to ensure data privacy and avoid the financial premium associated with cleaning up a cyber breach.
Although IT security is a critical component to a security plan, one of the most vulnerable areas for any organization is not technical – it’s the employees. Many cyber criminals focus on attacking individuals through malware, phishing and other scams, placing employees on the frontlines in the fight against cyber threats.
Fostering a cybersecurity culture can present a stronger front against cyber threats than any single policy or procedure, and will outlast individual turnover and isolated incidents. Create a cybersecurity culture by weaving cybersecurity through organizational procedures and practices, and maintaining an active conversation.
Be honest. Assess the culture and establish where organizational security stands currently. Understand the approach to addressing audit results, technology and security priorities, and any metrics in place that measure progress. In addition, recognize practices that may heighten risk: bring-your-own-device (BYOD) policies, foreign travel, unencrypted communication (like instant messaging), data storage on personal devices, nonstandard computer configuration, and use of software that isn’t vetted by the security office.
Outline the mission. Before working out specific details, clearly establish what constitutes success for security and technology. In a 2017 article on Government Technology, security expert Dan Lohrmann recommends studying National Association of State Chief Information Offers (NASICO) award winners to understand best practices and inspire ideas. Convert the mission into an “elevator pitch” to ensure it can be verbalized easily. Celebrate when the organization has success to underscore the value placed on security and further establish the culture.
Win executive support. As Lohrmann points out, executive action drives priorities for employees, just as children observe and mimic their parents. When executives support a cybersecurity culture, they allocate resources to support the message and prompt regular discussion about security. Highlight the hard costs that accompany cyber threats – in addition to the $7.7 million a 2015 Ponemon study estimated was lost annually, attacks may tarnish reputations or plummet stocks. Finally, highlight that cybersecurity protects intellectual property from hacking, and keeps it out of competitors’ hands.
Win employee support. Headline-making breaches may not feel applicable to all departments. Earn employee support with department-level conversations about the impact of cyber threats to ensure staff realize the value of security and aren’t tempted to circumvent processes. In an interview with Security Intelligence, IANS Research faculty member Mike Saurbaugh recommended organizations personalize the message further by applying security concerns to a wider context – like protecting families and personal finances.
Define roles and expectations. Eliminate ambiguity with a detailed plan specifying roles, goals and responsibilities for departments if a cyber attack occurs. Expand responsibility for promoting security outside the IT security team by appointing other departments as well. Create confidence that if a mistake happens, company security experts will find solutions, offer support and skip the blame.
Invest in training. Clearly communicate all cybersecurity politics and guides, and expect the IT department to routinely educate employees on attacks and the resulting areas to monitor. And, ensure a consistent onboarding program is in place for new hires. IT service experts GlobalSign says these topics should be on the agenda:
- Password management
- Encryption and digital signing, if applicable
- Phishing attacks
- Backing up work
- Sending personal or sensitive information
- Account access
- Authentication
- Policies and best practices
Lean on an outside party to handle training if internal resources aren’t available.
Keep score. Increase engagement in routine tests with an element of gamification – or an incentive for early responders. For a less individualized approach, departments could compete against one another. Use public recognition to reward employees and affirm the value of proper cybersecurity. Alternatively, Naked Security recommends a punitive approach instead for quicker improvements, through mandatory training or a naming and shaming policy.
Create a lively conversation. As with any culture, story is often the backbone. Continuously discuss cybersecurity, leveraging lessons from cybersecurity news and keeping employees current on best practices. Newsletters, forums or regular training sessions can create regular opportunities to discuss cybersecurity. Foster an environment that encourages questions, and ensure employees know who to ask. Equally important: make sure the answer isn’t rife with jargon.
In an established cybersecurity culture, employees will accept responsibility at an individual level for supporting security – and will have the training and knowledge to act. This collective approach moves employees from risk factor to security advocate, and employees may even proactively protect the business as they become more cognizant of cybersecurity practices. With cybercrime costs rising, a proactive stance will clearly pay off for individuals and businesses alike.
