What is cyber security culture?
A strong cyber security culture is one of the best ways an organisation can reduce cyber risk. The concept refers to the knowledge, assumptions, ideas, social behaviour, and values the workforce has towards cyber security.
Why is cyber security culture important?
The exponential increase of data year on year, because of technological advances and working remotely, has created a significant number of attempted cyber-attacks. However, digital breaches more often than not occur inadvertently from the people within the organisation, rather than from breaches to the digital systems themselves. According to the Verizon 2022 Data Breach Investigations Report, 82% of breaches involved the Human Element, including social attacks, errors, and misuse.
Organisations are spending millions on hardware and software but can often neglect the simple act of training their employees on common security practices. We frequently read about companies that were targeted due to inadequate security which could have been avoided by simple security standards followed by their employees.
How to create or improve cyber security culture in your organisation
To eliminate and reduce cyber risk, decision-makers must put people at the heart of security. Organisations can’t function without people therefore employees should be supported, to enable them to do their job as effectively and securely as possible. Forward-thinking companies focus on helping employees protect their personal digital lives as well as corporate assets.
Teaching employees to recognise security threats, follow basic security habits (often referred to as “security hygiene”), make thoughtful decisions, and know who, how and when to report security concerns to, that align with security policies and procedures can be the best return on investment by saving you time, money and ultimately protecting your company.
As Forbes (2022) would agree, there are a few steps to ensuring safety in your business:
- Work from the top down – the entire business will follow suit if the message from the top is clear and demonstrated at those levels. Actively showcasing and pushing this message from the top will inevitably lead to the rest of the business copying the example set. Role-modelling the requisite security behaviours is also essential to avoid undermining this message.
- Constant tailored education – accommodating every kind of person within the organisation is crucial. Employees who don’t enjoy the process of learning won’t retain or enact anything taught to them. Don’t be scared to make their learning fun and worthwhile! Vary the tone and content of training for different groups to maximise engagement.
- Consistency is key – consistent communication is vital, though not enough alone. It needs to be paired with other activities to ensure employees are proactive, not just reactive. This can be done easily enough by mimicking real life attacks in the workplace however, there can be negative impacts to competitions and simulating real-life attacks therefore our next blog will be dedicated to testing security practises.”
First, you need to understand what the current cyber security culture within your organisation looks like. The following questions, outlined by the NCSC are pitched at senior level and can be used to generate productive discussions with your technical and business teams. The aim is to identify what constitutes ‘good’ cyber security in terms of developing a positive cyber security culture.
On the other hand, Nine23 have pitched some questions to get you started within the lower level of the organisation.
- Do our leadership behaviours reflect the importance of security the organisation? Do we role model positive security behaviours?
- Are we confident that everyone knows What, When and How to report in terms of security? Are those mechanisms clear and readily available?
- Do we reward positive security behaviour (e.g reporting, challenge, checking)
- Do our processes include security checks? Do we develop new processes with the intention of security the creation of value and protecting it once created?
Start building on existing strengths, adopting good cyber security practices, and connecting with the people in your organisation, listen to employees and understand how changes impact the way in which they engage with cyber security, and adjust where necessary. Wherever possible, incentivise and reward positive security behaviours – reporting of suspicious messages, challenging insecure practices etc.
At Nine23 we define ourselves as your trusted cyber security partner, we fully understand the importance of cyber security culture within an organisation including our own therefore we are developing a new solution to help you increase your organisations cyber security culture.