People – your managers, co-workers and teams – are at the core of creating a culture of cyber security at work. Unfortunately, these same people are also the primary cause of cyber security incidents.
The latest figures from the Information Commissioner’s Office show that 71% of reported personal data breaches were due to the actions of internal staff members. The top offences reported were:
- Data emailed to the incorrect recipient;
- Data posted or faxed to the wrong recipient; and
- Unauthorised access provided to information.
Only 4% of these internal breaches result from malicious intent, e.g. the theft of sensitive information. The accidental actions of staff members cause the remaining 67%.
This is good news since by creating greater awareness and a culture of cyber security in your business, you can quickly reduce the number of cyber security incidents arising from accidents.
Why should you focus on cyber security culture?
Rather than simply deploying new technologies to defend against cyber security threats, you start to add additional layers of protection to your organisation by creating a culture of cyber security at work.
Once ingrained within your culture, cyber security becomes an essential consideration in every action and decision. You will no longer be purely reliant on technology to keep you safe. People and the business processes that they follow become an equally important line of defence in preventing, detecting and responding to cyber security incidents.
What does a good cyber security culture look like?
A good cyber security culture occurs when an organisation has well-defined cyber security policies, procedures and processes, e.g. for handling sensitive information, that are followed consistently by all staff members. It happens when your policies are part of the rhythm of the business and are visible in people’s conscious behaviours.
All culture begins at the top of an organisation and filters down and out until it touches every person within the business. When a good culture is in place, you see it present in your policies, systems, processes, leadership, approaches to work, and social norms.
Cyber security becomes a core part of the way you do business rather than simply being a task to tick off the ‘to-do’ list.
What five things can you do to enhance cyber security culture?
1. Set people up for success
While every person has a responsibility towards cyber security, you still need to have appropriate controls to prevent certain behaviours and encourage others. For example, 38% of people use a password that never expires. But weak and stolen credentials remain a common entry point and can be used to launch further attacks on your organisation.
You create the foundations needed for a robust cyber security culture by establishing the essential security controls consistently throughout your business.
2. Communicate effectively
Help your people visualise what you need them to do in respect of cyber security. Whenever you communicate, think about whether you have answered the key questions:
- What is being done?
- Why is cyber security important in this instance?
- What is the cost of doing nothing?
- How do they as an individual contribute to success?
Think about changing the language you use so your people see ‘data’ as ‘individuals’, not ‘records’. For example, encourage staff to treat all personal data as if it were their credit card details or medical information. This should discourage staff from breaching security controls where there is an element of trust, e.g. not leaving hard copies of personal data on desks overnight.
3. Review your remote working policies and processes
COVID-19, particularly its impact on employee working practices, is the largest-ever security threat. But hybrid working is here to stay, and nearly 60% of security professionals believe home working has made their organisation more vulnerable to cyber threats.
Lockdowns and remote-working led to rapid technology transformations for many organisations. Now that we have some time to reflect, it is an excellent time to review and update your security policies and processes based on actual events:
- What did/didn’t work well?
- What support issues did remote workers report?
- What information must people be able to access to do their job remotely?
- Did your business experience an increase in threats (or a breach)?
- How was it dealt with?
Ideally, your staff should have the same secure and streamlined user experience, regardless of whether they work from the office, at home, at a customer site or elsewhere.
4. Involve people
Simply dictate what your people should do, and you risk missing out on vital insights. Your people – particularly front-line workers – use your systems, follow your processes and interact with your customers daily. They know where things are broken or more cumbersome than they need to be because they’ve created the workaround to make life easier. You hired smart people who have great ideas, so listening to them is imperative.
Consider designating ‘champions’ in your business – these are individuals who demonstrate the right cyber security behaviours that you would like to see across your business. Not only will they take pride in their work, but they’ll also naturally seek to encourage these same behaviours in their colleagues. And if a system/process is broken, or they see someone doing the wrong thing with data, they will have the confidence to call it out, which allows your business to improve continually.
Creating a cyber security culture at work starts with you showing people what ‘good’ looks like. Investing in some simple cyber security training has the potential to reduce your security-related risks by up to 70%.
Furthermore, cyber security training should not just be a one-time exercise. Research shows that people who go 6+ months between training sessions become increasingly likely to fall victim to cyber-attacks, such as phishing scams.
Think about how to deliver ongoing and appropriate cyber security awareness training without it becoming a chore. For example, it’s possible to test whether your people would fall victim to a scam with phishing simulations. You can then deliver tailored, individual advice for those who clicked the link.
How can you measure improved cyber security culture?
Any metrics you select must be meaningful and actionable if you are to improve your cyber security culture continuously. For example, if you choose to execute a regular phishing simulation, you can track the percentage of opens/clicks over time to determine the effectiveness of your training.
You may also choose to assess your current business against an industry standard, like the Security Controls Framework (SCF), which includes 11 controls around security awareness and training.
It is also worth considering the benefits of obtaining support from an external consultancy. This is particularly beneficial to gain an impartial view of cyber security within your organisation. For example, how people feel about cultural indicators, like confidence, engagement, outcomes, responsibility and trust.
Need some additional help?
There will never be a ‘one-size-fits-all’ approach to building a better cyber security culture. People within organisations typically have different levels of awareness, perform different roles and have different requirements. As a result, for awareness training to be successful, it must take account of the divergent needs and cultures within your business.
CyPro’s Cyber Security Awareness Training service is precisely that – tailored face-to-face training that isn’t just a glitzy PowerPoint. Our sessions are informative, interactive and leave our clients coming back for more.