Creating a Culture of Cybersecurity

Creating a Culture of Cybersecurity

The rise in corporate cyber-attacks costs businesses billions of dollars per year. From startups to large publicly-traded corporations, it is rare that a day goes by without another story of a cybersecurity breach.

An IT department or outsourced IT company is only the first step in the defense against cyber-threats. These professionals implement the basic tools to prevent many attacks. However, even with the most well trained, staffed, and funded IT department, your business remains just one click away from undermining those protections.

Human error is responsible for the majority of the worst reported data breaches. A lack of cybersecurity awareness training leaves organizations susceptible to attacks and puts companies at risk of losing their reputation, customer loyalty, and potentially their bottom lines. Untrained employees are more likely to open malicious website links, fall victim to phishing scams, and unintentionally share sensitive data. Nonexistent or insufficient company security policies compound the issue. 

No company would allow their employees to provide customer service without undergoing training first. Yet, the majority of organizations grant access to company email, corporate documents, and even financial information without ever providing training on how to keep this important data secure. 

As Nick Wilding of AXELOS points out, "staff should be [businesses'] most effective security control but are typically one of their greatest vulnerabilities". 

The following statistics uncover some of the necessity for employee (and management) cyber security training, and a company-wide cyber security policy:

“One in ten confessed to downloading content at work they should not”.

“Two thirds (62%) admitted they have a very limited knowledge of IT Security”.

“One in five workers (21%) let family and friends use company laptops and PCs to access the Internet”.

These statistics are particularly alarming considering recent research shows that upwards of 75% of organizations fall victim to a staff-incurred security breach; half of which are the result of human error. Many companies do not require employees to undergo cyber security training, because many company executives do not believe this training is “very effective” and does little to change employee behavior. But the opposite is true, regular training resulted in an 80%+ increase in keeping data secure.

The days of keeping your business safe, by regularly updating your antivirus software, are gone. While technical security measures will measurably protect your organization from numerous forms of cyber-breach, it will do little to nothing to prevent an untrained employee from falling victim to CEO fraud or phishing emails. Cultivating a corporate culture that makes everyone responsible for cybersecurity is the best way to safeguard against potential data breaches.

The following 5 step process will help your organization to create a culture of security:

1) Assess

It is important to assess your organization’s current security environment before taking steps to improve it. A risk assessment can be performed in-house, but is most effective when performed by a professional cybersecurity firm. This provides an outside, unbiased point of view and most IT departments are not equipped or trained to perform this type of assessment.

2) Communicate

This is possibly the most crucial step in the process, because this can make or break employee buy-in. Getting employees on-board with new policies and procedures is the first step in creating the desired company culture. You need to get employees working with you rather than against you to create a security culture. 

3) Train

It may be common knowledge to an IT department employee that one should never open email attachments from unknown senders, or to never use the their work password for social media accounts, but to some employees, this may be the way they’ve always done things. Worse yet, they may have never been trained or communicated with regarding this practice. It is the responsibility of top-level management to provide consistent and up-to-date cybersecurity training and best-practices.

4) Recognize & Test

Develop incentives to motivate employees to utilize the training they have received. Also, devise a plan to pick employees up on small policy infringements. If you see an employee sharing a password via email, don’t just ignore it. In addition to recognizing both positive and negative employee behavior, it is important to run controlled assessments to gauge your company’s susceptibility. 

5) Review

There is no doubt that hackers are smart and know how to infiltrate a company’s weakest link. Additionally, new types of attacks are consistently generated, so it is important that top-management and the IT department work together to stay ahead of the hackers. 

Organizations of all sizes and industries can benefit from a professional security assessment to begin creating a culture of security.