Cyber Security Aware Culture – what is it?
Adoption of a cultural shift occurs at a subconscious level and hence raising awareness of threat through continuous reinforcement of the messaging is critical. There is a wealth of evidence supporting the view that a strong cybersecurity culture minimises risk through human actions. On the other hand, a poor cybersecurity culture opens the floodgates that increase the potential for cybersecurity risks to become real and costly issues.
Broadly speaking, developing a cybersecurity aware culture is achieved through small steps and a rigorous programme of steady reinforcement of the benefits. It is similar in some ways to inoculation programmes, we all understand the good sense and so over time adoption levels reach an optimum state.
Why is this important
Organisations worldwide are constantly inundated with cyber-incidents and the weakest link is not computers, but the people using them. We have two ways in which we see businesses addressing cybersecurity: Those that are spending money to invest in security tools but aren’t training people and those training their people but perhaps not maximizing the effectiveness and ongoing measurement of efficacy. Without the correct approach there is no guarantee of the learnings remaining at the forefront; which may be a precursor of treating cybersecurity awareness as an afterthought, or as a tick-the-box approach to meet compliance requirements. The key is balance. Balance between the right security tools and educated staff.
In New Zealand, The National Cyber Policy Office (NCPO) director Paul Ash said SMEs were “exceptionally hard to reach.” Similarly, ignorance is bliss until a cyber-breach occurs and we arrive at the office to find all our files locked and can’t produce invoices. 90% of NZ companies employ at least five people according to Statistics NZ, the fact is they require email (#1 method of attack) for business communication internally as well as with their customers, vendors and partners. A single email compromise could lead to a ripple effect spreading through these relationships. Everyone should consider spam or phishing emails as “a rogue friend who is always trying to get me to do things I never intended to do”.
What it takes to build a cybersecurity culture
The building blocks in the following sections can be taken by businesses and customised to fit within their own cybersecurity strategy, budget and business needs.
i. Board or Owner buy-in – In NZ, it is the board’s fiduciary duty of care to protect the business, people and information assets against cyber threats. As such, cybersecurity as with any other strategic messaging should not be delegated below the CEO or owner. The correct posture is a combination of top down ownership and bottom up awareness to promote a cybersecurity ready culture within a business.
ii. Understand your current cybersecurity state – Visibility is a stepping stone to developing a roadmap to achieving cybersecurity culture. Security monitoring can provide insights to the gaps in your security posture. At SecureCom, assessing your current cybersecurity state is a sensible process we take customers through to help identify these gaps. A business orientated report with your risk profile and mitigation recommendations is provided and often gives the basis for an effective plan.
iii. Risk management – It’s fair to say that organisations can’t mitigate all security risks with the use of firewalls, monitoring and anti-virus – of course these are important tools, however, they need to be augmented with behavior-driven controls to the human aspect of the risk landscape. This is similar to becoming aware of your blind spots, it gets easy to manage wild expectations set by your rogue friend.
iv. Launching your cybersecurity culture – High on your list should be training all employees especially senior management to understand how their actions and inactions can expose the organisation to cyber risks including those transferable from home. Awareness should make everyone skeptical and be able to make better judgment just like, being at a better position to manage your rogue friend. One of the ways in which SecureCom introduces and helps enforce cybersecurity culture is through cybersecurity awareness workshops which are highly interactive and customised with content specific to your industry
v. Market it internally – Promote the culture through engaging initiatives such as cybersecurity month, posters, periodic tests and desk collateral to help remind staff of what they need to do to step up cyber defence. Effective communication with your rogue friend is important because it acts as the judge, jury and executioner with a final say on whether your relationship lives or dies. This is how SecureCom measures the success of our cybersecurity awareness workshops with our customers.
vi. Keep the momentum – Leading by example, senior management or owners must provide consistent advocacy in which everyone has a stake. Cybersecurity must be on the board’s agenda, executives need to understand the current context and trajectory of managing digital risks and align with a company’s cybersecurity culture.