With cyber threats becoming more and more sophisticated, and with almost one-third of US businesses having suffered a data breach, it’s expected to see businesses making cybersecurity one of their highest priorities. In fact, 40% of companies claim that cybersecurity is, and will remain in the next 12 months, the top priority driving their technology spending, according to a report by ESG.
Why do companies need cybersecurity culture?
Businesses investing heavily in cybersecurity often base their investments on technology, but don’t sufficiently attend to the human side of it — which remains the top cybersecurity risk for many organizations.
Most frequently, cybercriminals will perform attacks on an organization using phishing emails and similar tactics, making employees the first line of defense that needs to be strengthened. After all, computers and apps aren’t clicking on phishing emails, humans are — so that’s where cybersecurity investments need to be focused. Employees are also the ones with everyday access to many of the organization’s computers, networks and systems, which means they play an important part in building resilience in the threat landscape.
With cybersecurity, culture in the workplace plays a big role in the entire organization and its security posture. Cybersecurity culture in the workplace is more than pushing policies without proper explanation and telling your employees they need to change their passwords regularly. Employees aren’t purposefully putting their organization at risk, they merely need training and guidance to avoid different types of cybercrime.
Cybersecurity culture in the workplace is more than pushing policies without proper explanation and telling your employees they need to change their passwords regularly.
That’s why organizations need to work on building their security culture. This includes spending more time explaining and raising awareness with their employees about possible cyber risks and their implications, enforcing safe cybersecurity procedures that will assimilate easily with their daily work routines and practices, and showing them how their behaviour can help or hinder the entire organization’s structure, from their solutions and products to third-party vendors.
Why is it hard for companies to instill cyber security culture?
Two reasons often come up as obstacles to creating a well-rounded and sustainable cybersecurity culture. When addressed properly however, they can make the biggest positive impact.
Lack of employee buy-in
Despite many organizations focusing on developing cybersecurity awareness, not all individuals understand their role in the organization’s security culture. We find that awareness typically runs high with IT and security teams, but they’re only a small part of the picture.
The lack of employee buy-in is one of the main reasons it’s difficult for organizations to instill proper cybersecurity culture in their workforce.
In a report published by CompTIA, 50% of employees have never received any formal cybersecurity training, so it’s no surprise that 96% of them still save passwords on their devices for “easy access.”
But when standard security training often means a bland instructional video or a boring PowerPoint presentation, we can’t really blame employees for a lack of awareness. Security training needs to be more than a mere annual necessity. It needs to be an interactive and engaging experience that will solidify their role in the security posture of the organization.
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
Lack of executive buy-in
When we talk about employees, our mind instantly goes to the “workers,” but when thinking in terms of cybersecurity culture we need to include management and executive leadership as well. All of them play a collective role in an organization’s cybersecurity resilience.
Because leadership and management are often excluded, the lack of buy-in from their side is another stumbling block for an organization in need of a healthy cybersecurity culture.
For that reason, security training that brings employees, managers and executives together is a must for opening up the dialog. Sharing their experiences and exploring the different threats they experience at their respective roles will provide better input to cybersecurity awareness across different levels of the organization.
Four ways to instill cyber security culture in your company
There are a few obvious steps in nurturing security culture in the workplace, such as educating employees to not click on suspicious links, to not share their passwords and to have different passwords for different accounts. But that’s only the beginning.
Good, sustainable cybersecurity means more than teaching people its core values, it also means showing how it can benefit them. As security professionals, we know the implications of bad security posture, but the average worker might not. Therefore, we need to share our knowledge, and make it accessible and easily understood by non-security people.
As mentioned, employees are your first line of defense when it comes to network threats, and enhancing their knowledge in this area not only prevents cyber attacks and data breaches, it also helps the organization learn about threats and respond to them quickly.
Overcoming the obstacles of employee and executive buy-in, and having them all work together in conjunction with IT and the security team will build a truly cyber resilient organization. We know that’s not easy, so we have a couple of tips to help you create a plan for security awareness training:
1. Start with the basics
We often see organizations skipping on the basics. This can create a lot of confusion among employees — causing them to make mistakes that could easily have been avoided.
Essentials like having a strong password policy can go very far. Standard password policies will create an effective line of defense, making it harder for attackers to break into your system. In addition, enabling a 2FA will add another layer of security to the baseline and limit access to accounts. An important thing to note on 2FA is that SMS 2FA is not secure at all and there are many other options in enabling 2FA in your organization.
While on that subject, it’s also a good practise to limit access to data, systems. and software to only those who are meant use them in their role. Also, once an employee is no longer working with you, make sure you terminate their access so no sensitive data is at the risk of being exploited.
Some limitations need to be put on software that is available for download on the devices employees use during their work day. Having a database with safe downloads will go far in preventing the installment of some types of malware on work computers.
2. Develop engaging and ongoing cybersecurity training
A lot of people don’t like to learn. For many of us, it reminds us of the classrooms where we had to learn a bunch of stuff we weren’t interested in, presented in a non-engaging way. Remember that feeling? Well, there are really no excuses for making security training resemble that experience in the least.
In my previous job, our mandatory 6-month security training session was presented as a PowerPoint presentation with a test at the end. And guess what? Just as in school, one person did the test, wrote the answers and just forwarded them to the rest of us. Do you think we learned anything? No, I don’t think that most of us even read what was on those slides. We were only clicking “Next”.
This is the biggest issue with the kind of cybersecurity training employees typically receive. If you’ve already invested in creating cybersecurity culture, make the training engaging and interactive for your employees. Use real-life examples, show them the ill effects of bad security hygiene, but don’t stop there. Let them know how important their role is and how they can help the entire organization run smoothly.
Make it fun for them. Organize a competition to find out who will spot a phishing email or a phishing domain first, share stories with them on the effects of good cyber security culture and make it ongoing. Don’t push a full week of security training on them once a year, make it a weekly agenda to remind them to always be vigilant and reward them for reporting any bugs or threats.
Relevance is also key. Customize training for different departments, as not all of them come in contact with the same threats, and create room for dialogue between departments so they can share their experiences. This will lead to a deeper understanding of cyber hygiene and its many different components.
3. Use metrics to monitor post-training behaviours
Making fun games and competitions a part of engaging security training will also help you keep track of its effectiveness. Through quick and regular assessments and tests, make sure that the training you provide is useful and that it actually provides concrete knowledge for your employees. These metrics will show you how far you’ve come with building and developing cybersecurity culture.
Be creative. You can go so far as to assign negative points to those who don’t perform well; you can even mention the names of those who don’t perform well. Of course, this approach doesn’t work in all company environments so you’ll need to figure out what best suits your team, and tailor it for them.
4. Make it easy for them to report threats
It’s easy for employees to think of IT and security departments as teams they don’t come in contact with unless they’ve made a mistake. Communication needs to be open with all departments, and employees need to feel positive about reaching out to the security department to either report something or to react in a constructive manner when they’ve made a mistake.
That means employees should recognize the security team as people they can get help from, with whom they can gain a deeper knowledge of their role in the cyber security culture, a place where they won’t be punished for their human errors.
Create channels where employees can easily reach out to security experts to report anything they find suspicious, ask any questions or request additional security training.
Benefits of having a strong cyber security culture
In 2019, no one can claim that cybersecurity isn’t important and shouldn’t be a priority. That’s even truer when it comes to businesses and the culture they nurture with their employees.
Having a strong and resilient cybersecurity culture will protect the organization against cyber threats and possible data breaches. We’re aware that creating good security training is not a small investment, but the benefits of it far outweigh the consequences of not having one at all. Keep in mind the average cost of a data breach, as well as the loss of business projects and the greater vulnerability to future attacks your company could suffer.
Good security culture will also create a stronger customer trust and loyalty to your brand — because customers don’t want to do business with a company they know has been breached, where their data might not be safe. Proper attention in this area can only grow your brand’s reputation and the costs of security training will be covered in no time.
Better brand reputation will also bring you new business ventures with clients who feel safe working with a company that has invested in the security of their staff, products, solutions and vendors.
When you create a sustainable cybersecurity culture in the workplace, employees learn to understand their role in keeping the organization safe. They’ll accept responsibility and help you work quickly and effectively to remove any threats. The human factor may be the weakest link in security practices, but you can up your chances against cyber threats by investing in your employees and making that weakest link your strongest asset.
We’re here to help security researchers and infosec professionals. Make sure you are keeping you, your company and your customers safe from hackers. Grab your free API account today or check out our SurfaceBrowser and make sure the external surface area of your company doesn’t reveal sensitive information.