Do you know what the top cybersecurity risk for many organizations is?
If you said patching, vulnerability management, or email, you’d be wrong.
The top cybersecurity risk for many organizations is the human factor.
Yet, for many organizations, working on the human factor and embedding cybersecurity into your people’s decision-making process is always left for “another day.”
Why should you build a culture of cybersecurity?
In cybersecurity, we’re used to being reactive. Cleaning up a malware infection, regaining control of an account that an employee gave away the credentials for, the list goes on.
A culture of cybersecurity is all about being proactive. Just like we’re used to doing in our safety culture.
What if employees were empowered to think cyber-secure before they act, never compromise cybersecurity for quick results, and apply cyber-secure practices in every task completed?
Would this proactive approach give you better confidence that your business is cyber-secure?
If you’re still on the fence, consider this:
Proofpoint, a cybersecurity and compliance company, found in its 2019 Human Factor report that 99% of the cyber attacks they analyzed required human interaction to execute.
That means that of the attacks they analyzed, only 1% didn’t require someone in the organization to take some action. Imagine if we could stop just some of these actions. Would that reduce our risk?
By encouraging employees to report unsafe cybersecurity practices, we can also reduce the risk of internal threats as well. In 2018, the numbers were climbing when it comes to internal threats, too: 54% more organizations recorded a growth of insider threats in 2018 (ENISA Threat Landscape Report 2018).
We’re not talking about just writing a policy and having the CEO promote it at the quarterly town hall.
We’re talking about working to ensure everyone includes cybersecurity in every decision they make.
That includes everyone from the CEO, down to the front-line workers.
Encourage the cyber secure and cyber-safe behaviors you see and take action to implement corrective actions for the cyber-unsafe practices you also see.
Leadership modeling cybersecurity solidifies buy-in.
One common misconception is that cybersecurity is just for the “workers.” Unfortunately, everyone in an organization plays a collective role in the organizations’ cybersecurity.
Any effective culture stems from employee buy-in. However, to achieve that buy-in, employees need to feel that the desired outcome is believed and practiced by leaders in the organization.
Leaders are the ones who set tone in an organization. They model what is acceptable and valued in an organization. In other words, you need to practice what you preach. If leaders require employees to practice good cybersecurity behaviors, then leaders should as well.
Understanding this from the executive level will remove the barriers in promoting and enforcing the culture change and demonstrate that doing work in a cyber-secure manner is a priority from the top down.
Why should I start from the top? Why can’t I delegate building a culture of cybersecurity?
Many organizations delegate the task of cybersecurity to a team within IT. From there, that team will implement the “task” of increasing the organization’s awareness of cybersecurity through usually one yearly awareness training exercise.
The issue with this approach is that cybersecurity made into a compliance task. A task to quickly complete the yearly training module, and then it’s back to the old habits.
It shouldn’t be a surprise that cybersecurity is a process of continuous improvement, just like other organizational issues such as safety. Why not continuously monitor and promote good cybersecurity behaviors year-round, and reinforce those that are going to protect your employees and your company?
Not only that, but cybersecurity needs to be taken into account in all decisions, and coaching right from the top down. Having the executive level down to the front-line workers participating ensures no gaps are leaving you vulnerable.
How can I begin creating a culture of cybersecurity in my business?
Develop a system to encourage positive cybersecurity behaviors and correct negative behaviors
It can be built effectively by using the same approach as done with safety. Encourage the cyber secure and cyber-safe behaviors you see and discuss the practices and corrective actions that are not.
Include cybersecurity in performance reviews
Document how active employees are at practicing good cybersecurity behaviors in their daily work within their performance reviews and include KPIs to measure.
Different than the usual generic compliance training, this allows the employee and their leader to identify specific gaps and find training specific to those topics.
Provide mandatory cybersecurity training for new hires.
Not everyone that comes into your organization is going to have top-notch cybersecurity skills. Including cybersecurity in new-hire training can help ensure all employees start at a baseline. It is also the first place where you can educate on how to report suspicious behavior or incidents, and get help.
Implement cyber-safety moments
Do you have safety moments at the beginning of your meetings? Encourage the addition of cyber-safety moments.
What’s critical here is to provide a copious amount of cyber-safety moments for your employees to use. The more comfortable you make it for people, the higher the probability it will catch on.
Plus, they’ll still be learning even if they didn’t come up with the cyber-safety moment.
What are some cyber-safety moments you could write?
- Basic hygiene (Examples are: passwords, emails)
- Examples of publicly-reported breaches or near-misses in your industry, or related industries
- Success stories in avoiding breaches or cyber incidents due to the action of employees in your business reporting suspicious activities or practicing cyber-safe behaviors
Mentor top-level management, and business leaders
As we’ve mentioned above, culture change starts with everyone living and breathing it, from the top down.
Educate management and leaders on good cybersecurity behaviors. Actively mentor them on implementing these behaviors in their daily work and mentoring their direct reports to do the same.
Summing it up
If you’re looking to start combating the top cybersecurity risk of the human factor in your organization, developing a culture of cybersecurity is one way to work towards it.
Have you developed a culture of cybersecurity in your business?