9 Ways to Build a Cybersecurity Culture
Sep 19, '19 by Joerg Schneider-Simon
A whopping 90% of successful cyberattacks are caused by human error. Why? Because most organizations don’t have a healthy cybersecurity culture.
According to ISACA and the CMMI Institute in their 2018 Cybersecurity Culture Report, only 5% of organizations are satisfied with the state of their cybersecurity culture. Less than half of the organizations studied regard their security culture as "very successful."
The costs of having a poor cybersecurity culture are immense:
- increased vulnerability to data breaches and data loss
- increased risk from non-compliance with federal regulations
- missed business opportunities
- loss of market share as customers and prospects take their business elsewhere
If you want to improve cybersecurity at your organization, start by creating a cybersecurity culture.
What is a cybersecurity culture, however? The folks at Silicon Republic have put it nicely:
Essentially, cybersecurity culture in the workplace amounts to the promotion of safe cybersecurity practices that integrate seamlessly with people’s work. It is making employees aware of cybersecurity threats and making them amend their behavior accordingly in order to mitigate potential threats.
In effect, when you build a cybersecurity culture, every employee becomes a member of the Information Security team, devoting time and energy to helping keep your organization safe from cyberattack.
Sounds good? Here are nine tips for building a cybersecurity culture.
Tip 1: Make it personal
Most employees see cybersecurity as an abstraction. They can’t see it or feel it. They might be able to imagine how an organization can lose millions of dollars from a phishing attack but won’t feel any sense of personal connection with that risk. But if you ask them to imagine what it’s like to have someone steal their ATM card and empty their personal checking account? Now it’s personal, and can be used as an analogy for your organization’s larger cybersecurity issues.
Translate cybersecurity from the abstract to the concrete by showing employees how their actions and their behaviors directly threaten the security of your organization.
Tip 2: Move beyond the checkbox
For many organizations, employee compliance with cybersecurity rules begins and ends with employees checking a box on a form. “I have read and understand and will follow the corporate cybersecurity policies and procedures,” their employee affirms with the check of a box.
But creating a culture of cybersecurity isn’t about checking a compliance box. It’s about practicing effective cybersecurity measures every day. So, move beyond having employees simply affirm that they agree to practice cybersecurity, and work to help your employees actually do it.
Tip 3: Make training iterative
For many new hires, “cybersecurity training” evokes images of sitting in a dark, window-less room, experiencing death by PowerPoint at the hands of an IT staffer. Problem is, you can’t bore staff into compliance.
The secret to making training more effective is to make it bite-sized and iterative. Replace the one-and-done training model with short, engaging modules spread out throughout the year. Create and deliver training that educates employees, introduces new concepts, describes current threats and gives practical advice on how employees are to act as your organization’s first line of defense against social engineering, spear-phishing, ransomware and other threats.
Tip 4: Phish your employees
One of the quickest ways to show your employees that they play a vital role in protecting your organization from cyberattacks is to subject them to cyberattacks. Conduct a white-hat phishing expedition and share the results with your staff. Show them how easy it is for malicious hackers to compromise your networks, steal data and put your organization at risk.
White-hat phishing attacks serve a double purpose. Conducted after training, they help staff retain what they’ve learned by bringing the lessons to life. And they help you measure the effectiveness of your training over time.
Tip 5: Invite intruders to your office
Another effective way to bring training to life and to create a culture of cybersecurity is to simulate physical attacks at random times during the year. Send unescorted people into your offices and document how many times they are able to “steal” unattended laptops, tablets, smartphones and other devices that contain confidential data and give access to your networks. Share the results with your staff and keep these simulated intrusions secret and random so that staff develop a cybersecurity culture without even knowing.
Tip 6: Make security adherence convenient and easy
Do your employees see compliance with cybersecurity policies as frustrating and inconvenient? For example, do they hate having to change their passwords every month? And, as a result, do they weaken your security by creating easy-to-guess passwords, or by jotting their latest passwords down on sticky notes and placing these on their monitors?
By making security rules frustrating and inconvenient, organizations simply drive their staff into finding less secure (but more convenient) workarounds. To create a culture of cybersecurity, make security adherence convenient and easy. Start by establishing priorities. Choose the top-three cybersecurity measures that will make the biggest difference to your organization. Then make adherence to these measures as easy and as convenient as possible.
Tip 7: Encourage employees to report incidents
Cybersecurity is easy to ignore because it’s rarely top of mind. Raise awareness of the need for constant vigilance by encouraging employees to report incidents. First, teach your staff to recognize phishing, social engineering, spear-phishing and other attacks. Then frequently and publicly encourage employees at all levels of your organization to report suspicious activity.
Tip 8: Invest money in creating a security culture
According to ISACA and the CMMI Institute in their 2018 Cybersecurity Culture Report, organizations with a strong cybersecurity culture spend 42% of their cybersecurity budget on security awareness training, annual testing and measurement. Organizations with weak cybersecurity cultures, on the other hand, spend less than half of that: just 19%. If you want to create a healthy cybersecurity culture, spend money to make it happen.
Tip 9: Correct misconceptions
One of the leading causes of complacency with cybersecurity is thinking that securing the enterprise against attack is the role of IT. But another leading cause is IT thinking that their network is already protected.
Some enterprises that use SAP, for example, think their anti-virus software protects their SAP system and data against malware. But it doesn’t. This is because files uploaded to SAP are encrypted in transit and then stored in an SAP-proprietary repository. Operating system anti-virus programs can’t scan these files for threats.
Plus, while SAP has an anti-virus interface (NW-VSI), regular anti-virus software is not compatible. What these enterprises need is content-security software that’s built solely for SAP, and a correcting of their misconception that they’re protected—when they aren’t.
The bad news about contemporary cybersecurity attacks is that the most successful attacks target humans, not hardware. But the good news is that employees can be trained to recognize, prevent and report intrusions. When organizations foster an intentional cybersecurity culture, one based on continuous training and the inculcation of good habits, they enjoy fewer intrusions, experience fewer business interruptions and losses, and keep their reputations intact.