Six Tips for Creating a Stronger Security Culture within Your Organization
Saturday, September 23, 2017
Are employees in your company highly engaged when it comes to cybersecurity, or are they prone to data breaches? With the help of a few important changes in company culture, you can help ensure colleagues play an important role in protecting the company’s data, reputation, and privacy.
Does your company encourage the following practices?
- Make Security Everyone’s Responsibility
Many employees believe that the security department is solely responsible for security. However, to maintain a sustainable security culture, everyone must participate.
Andrew Bycroft is a cybersecurity specialist at the Security Artist, a management consultancy that specializes in reducing the cost of cybercrime. He warns that, “although the cybersecurity team should be called upon to provide security input, it should not be responsible for changing the culture.” Internal marketing teams should make sure key messages are delivered to employees in multiple formats, as not everyone learns the same way. Meanwhile, human resources can measure the effectiveness of cultural changes, and legal can ensure regulatory requirements are met. Leron Zinatullin, information security specialist, who has worked for KPMG, notes, “the goal is not to teach tricks, but to create a new culture that is accepted and understood by everyone.” Organizations should engage all staff beyond making a PowerPoint presentation. New and current employees should have dedicated, in-person training. In addition, a company’s third-party vendors and contractors should receive the same training and communication about information security. A consistent approach across the organization can help make cybersecurity everyone’s responsibility.
Effective communication is key to any organization, especially when sensitive data is on the line. Employees should be encouraged to take the “if you see something, say something” approach, and be vocal when they spot phishing attacks. This way, when an attack is identified by one employee it will become known throughout the organization. With increased communication, commonalities in attacks will become clearer to all employees and help sharpen identification skills across the board. Employees should be the front lines of threat detection and trained to ask the IT department for help when they doubt an email’s legitimacy.
- Offer Incentives
When phishing attacks make headlines, it’s easy to ask who would fall for that. Still, many are prone to believing phishing emails, which is why it remains the most common cybercrime. In an organization of hundreds, or even thousands, the odds are likely that at least one person will fall victim – and that’s all it takes. To curb this vulnerability, organizations can offer incentives to encourage good security habits. For example, running “PhishMe” campaigns can train employees on better email security. These include regular phishing emails sent across the organization to test the staff’s response. Curricula CEO Nick Santora says his team believes “good behavior needs to constantly be reinforced to achieve the goal of building a cybersecurity culture.” He recommends motivating employees with rewards, such as lunch with executives, public recognition of the month, or other incentives to make employees feel empowered.
- Make it Fun
Organizations need to make sure that security best practices are understood and implemented. Training may take various forms, including the increased practice of “gamification.” This applies elements of gaming, such as competition or timed quizzes, to lighten activities that might not be considered fun otherwise. Global consulting firm PricewaterhouseCoopers teaches cybersecurity through Game of Threats, in which executives compete against each other in real-world cybersecurity situations, giving them an understanding of how to prepare for and react to threats.
- Modernize the Workplace
A modern security culture should enable users to work in the way they want, inside or outside the corporate network. Organizations that fail to adjust to modern workplace needs, such as employees using their own devices at work, are far more likely to experience data breaches. “A bring-your-own-device (BYOD) policy is critical to an organization's IT security,” said Paul Carter, a Fuel User Group member and Information Security Engineer at Aplura, LLC. “As employees bring in their own devices, they also may also introduce potential threats and vulnerabilities. Consequently, the organization must consider what are the risks and threats, and document the policy that employees must follow and the security baseline that will be maintained by the IT Security personnel.” Carter notes organizations may choose to permit company-owned devices only to limit the attack surface of its network. “The main concern is that all options have been [considered] for network connectivity for external devices, so the organization can take the steps necessary to minimize risk to business operations.”
- The Three Pillars Must Work Together
According to Kai Roer, co-founder of European security startup CLTRe, technology, people, and policies are all part of security and, in his experience, you can’t change one without changing the others. For example, Roer notes that anti-phishing training cannot be expected to work if the company does not also use technology to reduce the likelihood of phishing attacks, or combine it with procedures for quickly helping those compromised. “Security problems can’t be solved by buying technology, adding a new policy, or setting up a security awareness program – we need all three pillars working together to support each other,” Roer says.
Whether you’re gamifying training or establishing new security messaging, always ensure these practices take a top-down approach. If leaders do not create and promote a cybersecurity culture, employees will be less likely to follow these best practices. Most importantly, awareness campaigns should be ongoing, not a one-time initiative. Through testing various methods, security professionals can find what works best for their organization to form a unified culture that prevents cybersecurity attacks.
What are your favorite tips for creating a cybersecurity culture? Share them with the Fuel Community in our Fuel Forums.