Five keys to strengthen your cybersecurity culture
We live in an consistently increasing technology- dependant society. Hackers are incessantly becoming more creative. No matrix, system or device is 100 percent safe. 49% of organisations who have already suffered a serious attack are commonly targeted again within a year of their initial breach. Entering 2019, it is clear that enterprises can't kick the can down the road and accept 'good enough' as a feasible solution anymore to the ever evolving cyber security threats.
So, how do we stifle the march of the cybercriminal? We have to approach it from a technological perspective but also a human one, too. As we know cyber criminals feed off our own behavior and use it against us. Cybercriminals use different methods of cyber attacks to trick us into performing actions which seem legitimate, but aren't. It is this aspect that technological solutions cannot resolve and which need to be bolstered by drawing in the human behavior aspect. This can be achieved by creating a 'security culture'.
It can often be assumed that only large companies need to execute cybersecurity measures in order to protect themselves against cyber criminals and malicious hackers. Nonetheless, more than ever both small and large businesses alike need to safeguard their security. The reality is that no matter what size or extent of the breach, we are at more danger than ever.
Strengthen your Cybersecurity Culture:
1.) Genuine Executive priority and support
Executives should always help to promote the importance of cyber security within the organisation. This begins with a more formalised and thought out education programmes and training around cyber security needs. Organisations should train both junior and mid level staff on cybersecurity consistently to reinforce defensive behaviours. Cyber security training may seem labor-intensive but it is effective in fostering a security culture. According to the Netwrix 2017 IT Risks Report, 37% of respondents claimed that insufficient staff training was one of the major obstacles in implementing a more efficient IT risk strategy. The remaining will train annually or sometimes not at all.
Executives should be making this their priority to boost these training programs in an attempt to reduce the probability of discernment beyond the one-month mark. The training could include scripts that could imitate real life attacks, role play and testing in order to assess effectiveness. Be sure to tailor the content of each training programme to the different employees taking it. Consider their department and other group, level of responsibility, prior knowledge and what data they have access to. For instance, employees who don't have access to customer databases don't need training on how to work them securely. Using examples of how employees in your company have violated policy in the past and what happened to them might also be effective, but don't demonise the offenders and of course don't disclose any names. However, showing that cyber threats are closer than one may think it is a good way to encourage employees to follow security policies.
2.) Clearly document security policies
Security policy is a cornerstone of security culture as it guides employee behaviour. You should create at least two documents. The first is the official security policy- this should be prepared by the IT department and signed off by all stakeholders. It specifies rules and procedures that everyone accessing the business's IT systems and assets must follow.
The next is an informal document that is created by HR explaining the company's vision of security and highlights why following security best practices matters for the growth of the business and every employee involved. Detailing the consequences of not adhering to the policy is also important. HR should ensure that all new hires read the security policy on their very first day, and that everyone can easily refer to it at any time.
You could also carry out frequent phishing simulation tests and emphasise these so that people are always on the lookout for phishing emails, or websites with the hopes that they might acquire something for being the first to report it to their IT department.
3.) Encourage people to report incidents
A business is like a community in that employees can contribute to its prosperity by being socially responsible. To nurture security responsibility, superiors should encourage all employees to report not just full-fledged incidents, but even suspicious things they encounter. They should provide an easy way to do this, normally through reaching out to the IT staff directly should suffice. By getting employees on board with reporting, you will spot security issues sooner and be able to respond a lot more promptly.
4.) Build a security community
A security community is the backbone of sustainable security culture. Community provides the connections between people across the organisation and assists in bringing everyone together against the common problem- eliminating a 'us versus them' mentality.
Security community is achieved by understanding the different security interest levels within the organisation: advocates, the security aware and sponsors. Security avocate are those people with a passion for making things secure. These are the leaders within your community. The security aware are not as passionate but realise they need to contribute to making security better. The sponsors are those from management who help to shape the security direction. Gather this group of people together in a special interest group focused on security.
Security community can manifest as one-on-one mentoring and weekly or monthly meeting to discuss the latest security issues. It can even become a yearly conference, where the best and brightest from the organisations get a chance to share their knowledge and skills on the big stage.
5.) Recognise & reward
Being recognised is what makes employees feel appreciated. You need to ensure that anyone in the company is aware of what they can come across. Through the training they receive they will realise the threats they could be under whether is it phishing, weak passwords, posting things in the cloud or not shredding.
Managers should also recognise a particular team member who has helped detect a problem, either through an email or at a corporate meeting. This demonstrates to everyone else that they are welcome to do the same- proving how important cybersecurity is to the company.
On a good day, a policy is the last thing on an employee's mind. It's unfair to expect employees to understand, let alone comply with, complex policy frameworks often cobbled together with policies written on the back of pre-written templates.
To me, the most important aspects of policy enforcements are:
- Engage with every employee and share the message without making it obvious that you are 'talking corporate'. If you take your employees on the same journey that you are embarking on, it becomes easier to share your concerns, your requirements, and your objectives.
- Convey the personal element of why you are enforcing certain rules and regulations.
In 2019 you will see more cyber attacks against businesses of all types and sizes. A lot of these attacks will start of with the manipulation of our own behaviour through the cybercriminal. In order to fight this we must build defenses using our greatest asset- our people. Cyber security culture is all about addressing insecure behaviour and encouraging improvement. In doing so you can enhance an ethos that will protect you and your employees against some of the most common attacks. This will save your business money, its reputation and ensure that compliance requirements are met.
A culture of Cyber Awareness Is Achievable
Building a strong security culture takes work, but it is undoubtedly the right path. Many organisations are already working on making this cultural shift because they recognise they must approach information security with the same level of engagement and responsibility as financial and other risks. Commitment from the top to taking individual responsibility for security will spawn a strong security culture across the organisation, adding a critical layer of defense and reducing IT risks.
When security leaders set logical, incremental goals and show a readiness to try new training procedures when established approaches fail to yield results, creating a culture of cyber awareness doesn't have to be a pipe dream. In fact, it's an absolute essential given the increasing sophistication of the threat landscape. Cybercriminals are masters of manipulating human nature in order to convince employees to do their nefarious bidding. It's time for security leaders to understand the human element of cybersecurity and use these insights to protect their employees and enterprise data.
SaltDNA, ranked in the top half in the Cybersecurity 500, provides a fully enterprise-managed software solution that enables absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. The SaltDNA Desktop and Mobile apps are intuitive and easy to install and use. The SaltDNA Communication Manager provides a console for tight management of users and can be configured for the management of regulatory compliance. SaltDNA is headquartered in Belfast, Ireland, for more information visit www.saltdna.com.