Today, nearly every organization relies on stable and secure IT operations, so cyber risks merit the same careful attention as other types of risks. Top leaders understand this: The World Economic Forum’s 2018 Global Risk Report claims that most influential movers and shakers view cyber attacks and breaches resulting in data theft or fraud as major threats to their businesses.
Developing a strong cybersecurity strategy requires understanding the source of breaches. The Verizon Data Breach Investigations Report 2018 reveals that employees with legitimate access rights are the second most common cause of breaches. The root cause can be either human error or an attack, since hackers often look for the soft underbelly, such as trusted insiders.
Therefore, reducing cyber risks must include building a culture that values cybersecurity. This requires shifting the mindset of all employees. In this blog post, I will explain four key steps to take to start establishing a strong security culture in your organization.
What is a security culture?
A security culture is a facet of the broader corporate culture that encourages employees to make decisions and fulfill their day-to-day duties in alignment with the organization’s security policies. By embedding security best practices in employees’ daily activities, you can mitigate cyber risks and improve compliance with even the most severe compliance regulations — GDPR, for example.
Note that a security culture involves more than just security awareness. As CLTRe explains in its Security Culture Report 2017, awareness is a narrower concept — it involves users knowing the security procedures, but does not necessarily mean they are following them. A security culture, however, is a healthy mix of knowledge and follow-through.
Let me share some tips that will help you increase security awareness and, moreover, create a robust cyber security culture in your organization.
Tip #1. Employ leadership-driven cyber governance
Since all big shifts in an organization start at the senior level, it’s essential to make sure that the executive leadership team is interested in actively governing and nurturing cyber security, and is ready to communicate it to the rest of the company as an organization-wide issue and a cultural priority.
To achieve senior buy-in, I recommend regular meetings between C-level execs and the infosecurity leader in the company. The infosecurity person should report on cyber security issues, such as how well the company uses existing technology to mitigate threats and how the business will benefit from further investments in information security. IT teams cannot afford to stay siloed anymore; they need to explain to top management why security matters to the business and advise them about how to improve the company’s security culture.
Middle managers also play a big role in driving security culture, since they work with employees directly and can show them how to behave in a security-centric way. First, managers should lead by example and not violate security policy themselves. If a manager copies sensitive files on a USB stick and takes it home, staff are likely to think “Why not?” and do the same. Second, managers should take the initiative to explain proper workflows if their staff members misbehave and pose security risks to the company. They don’t have to be infosec pros to explain basic security rules. Having these managers on board and using their authority appropriately will be invaluable in effecting real change.
From my experience, only when management is committed to establishing a strong security culture security-centric behavior will echo throughout the company’s corporate culture.
Tip #2. Clearly document security policies
Security policy is a cornerstone of security culture because it guides employee behavior. You should create at least two documents. The first is the official security policy. Prepared by the IT department and signed off on by all stakeholders, it specifies rules and procedures that everyone accessing the company’s IT systems and assets must follow.
The other is an informal document created by HR that explains the company’s vision of security and highlights why following security best practices matters for the growth of the business and every employee. I also recommend detailing the consequences of not adhering to the policy: The employee could suffer a tarnished reputation, termination or even a lawsuit. This could be either a separate document or a part of an existing one, such as an employee handbook.
HR and hiring managers should make sure that new hires read the security policy on their very first day, and that everyone can easily refer to it at any time.
Tip #3. Train employees
Cyber security training may seem labor-intensive but it is effective in fostering a security culture. According to the Netwrix 2017 IT Risks Report, 37% of respondents claimed that insufficient staff training was one of the major obstacles in implementing a more efficient IT risk strategy.
There are a variety of types of training available, from traditional PowerPoint presentations conducted by an IT team member to more modern options. For example, some of my peers from other companies require every newcomer to go through a video training on security and sign off on its completion before starting any work. They report that employees who go through this training rarely have problems, unlike people hired before the program was started, who often called support for the basic stuff.
Another engaging way to foster security-centric behavior is role-playing games. Employees walk through security-related cases and decide how to solve certain problems in alignment with the security policy. When writing scenarios, I suggest focusing on two or three top IT risks your company faces, whether that’s ransomware, privilege abuse, improper distribution of sensitive data or something else. Coming up with substantial scenarios and conducting the games can take quite a bit of time, but this type of training can be very effective because it offers a lively, hands-on framework for learning IT security concepts. Employees learn in a playful yet practical way how to follow security policy and try different roles without posing any risk to the organization.
Be sure to tailor the content of each training to the employees taking it. Consider their department and other group, level of responsibility, prior knowledge, what data they have access to, and which tools they are using. For instance, people who don’t have access to customer databases don’t need training about how to work with them securely. Using examples of how employees in your company have violated policy in the past and what happened to them might also be effective, but do not demonize the offenders and, of course, do not disclose any names. However, showing that cyber threats are closer than one may think is a good way to encourage employees to follow security policies.
I advise paying particular attention to social engineering. If email security solutions were a panacea, I doubt that half a billion users globally would have been targeted by a massive phishing attack in the first quarter of 2018. The best approach is to conduct simulated phishing attacks every now and then, so you can pinpoint individuals who fall for malicious emails and teach them how to identify phishing and how to respond.
The frequency of training depends on your needs and your employees’ learning curve. Often organizations require employees to refresh their knowledge of security rules by passing brief tests every 3–6 months or so.
Tip #4. Encourage people to report incidents
A company is like a community in that employees can contribute to its prosperity by being socially responsible. To nurture security responsibility, management should encourage everyone to report not just full-fledged incidents, but even suspicious things they encounter. They should provide an easy way to do this; normally, reaching out to the IT department directly should suffice. By getting employees on board with reporting, you will spot security issues sooner and be able to respond faster.
I also recommend encouraging managers to recognize team member who helped detect a problem, either in an email or at a corporate meeting. This demonstrates to everyone else that they are welcome to do the same because cyber security is important for the company.
Building a strong security culture takes work, but it is undoubtedly the right path. Many organizations are already working on making this cultural shift because they recognize they must approach information security with the same level of engagement and responsibility as financial and other risks. Commitment from the top down to taking individual responsibility for security will spawn a strong security culture across the organization, adding a critical layer of defense and reducing IT risks.