How to Build Cyber Culture  

Embedding security into culture will dramatically reduce exposure to cyber and regulatory risk.  

 

You don’t have to go too far these days to see news of the latest cybersecurity incident, or a company being fined for failings. Cyber resilience has been moved to the top of the regulator’s priority list and companies say they are pushing it up their agenda.  

Even so, the same failings happen time and time again.  

Take for example, the ransomware attack against the Colonial pipeline which disrupted oil supplies to the East Coast of the US – made possible due to a single leaked password. This is not a unique story - significant breaches which could and should have been prevented are on the rise. On each occasion mistakes can be attributed to one thing more than anything else: a lack of a positive cyber culture. 

  

The growing influence of digital technology at work, and in our personal lives, has greatly increased our exposure to cyber-attacks. The financial sector routinely attracts more cyber breaches than any other. The more it embraces digital technology and remote learning, the more exposed it becomes, however, there has not been a similar advance in cyber culture. By this we mean what happens when people are left to their own devices. It’s all very well people obeying the rules and following guidelines when a manager is looking over their shoulder.  

The question is, what happens when they step away? 

 

In many cases, people will revert to their old ways of doing things – namely using unsecured personal devices, using the same passwords for multiple logins, and failing to take even the most basic security precautions. If they click on a secure link, do they know the right precautions to take or the protocol if a breach occurs?  

In an environment of positive cyber culture, all this happens automatically with no input from above. The problem is that this is proving difficult to achieve. 

 

Instilling a positive cyber culture  

The first thing to note is that cyber cultures will not grow organically on their own. They are deliberate and disruptive, transforming the way things used to be done and replacing them with a new approach in which sustainable cyber resilience is part of a firm’s DNA. It applies not only to day-to-day operations but in the products and services a business delivers. A sustainable culture is persistent. It is more than a one-time event. It applies to everything.  

 

Getting there is not easy but there are things that organisations can do, including:  

  • Giving everyone ownership: There is often a feeling that security belongs in the IT department. In fact, every employee from the top of the executive branch to the new intern will be a vital cog in the security ecosystem. They need to understand how security applies to them and their department with tailored programs focused on different parts of the business. That way, someone in HR for example, will see specifically how security concerns impact their work.  

  • Offer rewards: Employees are generally naturally keen to please. They will focus on work which is rewarded and advances their standing within the company. By incentivising positive behaviour and rewarding those who perform well, a business can focus mindsets more towards security.  

  • Build a community: Security should be seen as an organisation wide issue. However, the focus all too often turns inward. Focus on establishing communication links between departments, so they can share perspectives and best practice. 

  • Raise awareness: This is about more than just educating people about threats such as phishing emails or trojan horses. It’s about fostering their ability to judge threats and take robust action swiftly. Making sure everyone in the company is security conscious and adept at intuitively adjusting their actions to foster better security is vital. 

  • Make it fun: One problem security often has is that it is often considered a dry topic. Rather than long dull PowerPoint presentations, try injecting an interactive element into the process of awareness and teaching.   

 

Security has to be about much more than technology, rules and protocols. The vast majority of breaches happen because of human error. In these cases, the fault will often not lie with the quality of cyber defences or the lack of rules, but a culture which meant employees either lacked awareness or simply did not follow their own company’s rules.  

Establishing a positive culture will create an environment in which following the rules, and maintaining best practice becomes second nature. 

 

Previous
Previous

What Can we Learn from the FCA’s Fines in 2021?

Next
Next

Risk vs Reward: The UK’s New Direction on Data