2020 was an unprecedented year for all industries and cybersecurity was no exception. It was a record-breaking year for data breaches and number of cyber-attacks, with the average cost of a data breach reaching $3.86 million. The number of cyber-attacks and data breaches will only continue to rise in coming years. However, organizations can prevent unnecessary security incidents by changing their perspective on cybersecurity from a concept to a culture. When a cybersecurity culture is created at an organization, employees will be more aware of their role in protecting against cyber-attacks and better able to ensure proper security measures in the workplace.
No organization will have a perfect security infrastructure and leaders must consider that employees will make mistakes. How leadership responds to mistakes and incidents, however, will set the precedence of cybersecurity within the organization. Cybersecurity can seem overwhelming to those outside the field. Helping employees understand why their organization would be targeted, the various types of threats, and where they would come from is a useful approach to shifting culture and could potentially avoid security incidents. For all employees to adopt a culture of cybersecurity at work, they must understand the risks and see how they are part of a team effort.
Leadership must also be realistic about the likelihood and causes of cyber-attacks. Many cyber-attacks result from human error, as attackers try to exploit humans’ general good nature. Employees will make mistakes and it’s best to avoid playing the blame game. Employees are less likely to adopt the cybersecurity culture if they feel they are walking on eggshells. When errors occur, they present an opportunity for leaders in the organization to setup a time to educate users about what happened and provide training as means to prevent a similar incident from happening again.
Another way to effectively create a cybersecurity culture is by partnering with a security advisory team. Say you are the CEO for an organization that experiences security incidents monthly. You’ve had enough of the impacts on your business, and you hire a security advisory team to investigate. They propose a social engineering campaign to determine who might click on malicious links in emails and how many times. When you receive the report, it reveals that security is something that needs to be taken seriously. The report shows that 95% of employees are clicking the email and even clicking it multiple times, causing the high amount of security incidents across the company. The security advisory team would approach this by setting up a goal for the company to achieve and creating a step-by-step plan for obtaining the cyber cultural shift.
When you change how cybersecurity is viewed within an organization there must also be a way to assess the changes. One way to assess the effectiveness of increased training and education is by performing a SWOT analysis that can identify strengths, weaknesses, opportunities, and threats. Regular SWOT analyses will help to see if there is progress resulting from training or indicate a change of strategy is necessary if few improvements are seen.
It is also important to note that creating a cybersecurity culture at work is not the same as security awareness training nor is it only a precautionary measure. It takes time to build awareness and sound security for an organization. It’s more like a step-by-step approach to setting goals to achieve a deep rooted, lasting change in the organization.
If you want to create a culture of cyber security at work, here are some best practices to help you get started:
- Establish that security is everyone’s business
- Hold regular companywide security awareness trainings
- Establish that security is a process and takes time
- Avoid playing the blame game- security culture should be a positive environment
- Recognizing employees who have taken the cybersecurity culture to heart
- Know how to use the tools at your disposal