Most business leaders know that organisational security is important. But these days, the term "organizational security" means so much more than it has in the past. It's not just about installing antivirus software on employees' computers and thinking you're protected.
You can hire the best IT security people and buy the most secure software, and that's still not enough. Even high-profile organisations with all the resources at their disposal are not immune to mistakes that can lead to a security breach. Continuous testing and high standards for the IT security system cannot protect a company from cyber threats if employees do not know the importance of cyber security.
All companies therefore need a healthy cyber security culture.
What is a cybersecurity culture?
The term cybersecurity culture refers to the attitudes, knowledge, assumptions, norms and values of an organisation's workforce with respect to cybersecurity. These are shaped by the organisation's goals, structure, policies, processes and management.
A good cybersecurity culture is one in which elements of the organisational culture (policy, process, management, social norms, etc.) and elements of the individual culture (attitudes, knowledge, assumptions, etc.) are aligned with the organisation's approach to cybersecurity, manifested in cybersecurity-aware behaviour.
The core of creating an effective cybersecurity culture is to recognise that people make an organisation secure, not technology. People are both the best cyber defence and the weakest link in the cyber security chain. So it's critical to create an environment where employees have the knowledge and instinct to protect the business.
Human error remains the leading cause of data breaches around the world. In other words, companies may have their hardware security in place, but it's the human element that ultimately causes problems.
When everyone on your team, from new hires to your CEO, has an interest in and knowledge of operational data security, you've created a cybersecurity culture.
So how do we avoid the human errors?
Most people want to do the right thing. In a cybersecurity culture, you teach your employees what the right thing to do in cybersecurity is, so when they're faced with decisions, their default choice is always the right one.
Create a culture
When building a good cybersecurity culture, start with the basics. The goals of the cybersecurity culture need to be strategic, organisationally aligned and risk aligned. You need to understand what the current cybersecurity culture in your organisation looks like, if there is one at all. It's important to understand what the mindset and behavior of your organization is now so you can determine where the significant security gaps are and then develop a plan.
You will need to draft company policies. Get all team leaders - including those from the privacy, security and HR teams - involved and give everyone the guidance they need. And make the policies fair. Policies that make your employees' jobs harder won't be effective, no matter how safe they may seem.
An example might be a standard policy on company code words. Each password should be at least 14 characters long and complex. In addition, it cannot be used more than once.
The average US email address is associated with about 130 online accounts, so that means the person must have 130 complex, unique passwords. They also need to be changed every 90 days.
This approach to passwords is very secure, but it is almost impossible to enforce and therefore does not work in practice in a company.
Finally, when creating a cyber security culture or implementing changes to your cyber security culture, it is crucial that you listen to your employees. You must continue to listen to your employees and understand how changes affect the way they engage with cybersecurity. Having an objective and honest understanding of how your efforts are being received will help you make the right adjustments to continue moving toward your goal.
Give people what they need to succeed
Productivity software and services that support cybersecurity best practices make security-related decisions easier. Your team needs training too. Awareness training focuses on cybersecurity and cyber threats, raising employees' awareness so they're constantly alert to potential cyber threats.
Once you've created a cybersecurity culture, you need to maintain it, and employee recognition can help. Even an informal message about the latest problems an employee has caused the IT department can increase engagement and make people more enthusiastic about sharing what they find. This can also help maintain lines of communication between the security team and the rest of the business, which is important. People should feel encouraged to ask questions and voice concerns without being judged.
The numbers speak for themselves
In 2014, IBM reported that human error was the cause of a whopping 95 percent of data breaches worldwide. In 2020, a study by Stanford University and security firm Tessian estimated that humans were responsible for 88 percent of all data breaches.
Employees in a company therefore pose a real security risk, but it is relatively easy to significantly reduce that risk by creating a good cyber security culture.
With reasonable policies, useful tools, trust and awareness training, you'll help your team make the right decisions before or when things go wrong.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.