Most security incidents have less to do with technology and more to do with people. In 2021, 82% of security breaches involved a human element. Negligence, judgement errors, carelessness, misuse, misconfigurations and biases help cyber criminals walk through the front door of some of the most “security-savvy” organisations.
The threat landscape is also becoming riskier and more complex. Employees working from home are accessing sensitive resources from outside the corporate perimeter, making them more vulnerable to social engineering, fraud and phishing scams. New geo-political risks are emerging and critical infrastructure is increasingly getting connected to the internet.
Security is now everyone’s responsibility, not just IT security teams.
Difficult to harness and tame, human behaviour is arguably one of the biggest challenges faced by security practitioners, leaders and cyber risk managers. That’s why the concept of security culture is increasingly important: Culture holds the power to influence employee behaviours, attitudes, perceptions, beliefs, norms and customs.
So, how can organisations strengthen their security culture? Here are six best practices that can help:
1. Measure things to create meaningful impact
You can’t change what you can’t measure. To positively influence security culture, you must first analyse its current state. How often is security training conducted? What are the participation rates and engagement metrics like? How do employees perform in phishing simulations? What are employee attitudes, values and beliefs concerning the organisation’s cyber security program? How frequently are employees reporting and flagging phishing emails? What are the top root causes of cyber attacks? Are relevant security controls already in place?
Once security teams have an understanding of the overall state of security controls and the underlying security culture, they can then embark on their plan to achieve desired behaviours.
2. Start from the top
Any culture change must ideally start from the top. If the C-suite does not support the desired transformation, all efforts will likely fail. To secure leadership buy-in, explain the business case with clarity. What are the risks? What are the metrics? What is the proposed framework? Demonstrate the positive impact of lower risk, better efficiency, improved reputation, fewer human errors and fewer incidents. Ensure leadership empowers, articulates, communicates and demonstrates their own development and encourages even the most nuanced cultural shifts.
3. Keep it real and relevant
When training employees, always cite real-world examples of cyber attacks making the headlines. Explain how cognitive biases are impacting day-to-day decisions. Sometimes users know what to do but not how. Sometimes cyber security teams tell them how to do it but fail to remind them why. Create programs that are customised and tailored to the target audience based on the work profile, level of risk, security maturity or competence. Try to offer high-value content. Many people undergo security awareness and compliance training because they have to, not because they want to.
4. Talk in a manner people understand
Most technical people tend to get carried away with jargon. Try to keep it simple. Avoid using words that evoke negative connotations. For example, instead of using security concepts like “zero trust,” use simpler words such as “always verify.” Instead of using “security patching” or “life cycle management,” use phrases such as “always be up to date.” The idea is to be positive with communications so employees from various departments who might not be familiar with cyber security jargon find it meaningful, relevant and impactful.
5. Create a culture of accountability, not blame
A positive security culture is one that gives people confidence that they can speak openly and see the organisation improving as a result. Allowing workers to understand what is best for securing the organisation will also protect their own personal data and privacy. If an employee finds something that’s flawed or they discover a phishing attempt, they should feel free to report it without fear of reprimand.
6. Empower employees with the tools they need
Make security policies and procedures clear to users (what they should be doing, why they should be doing it and how). Offer regular security awareness training that includes the latest trends and tactics used by cyber criminals to scam victims. Deploy security best practices such as anti-spam, endpoint detection and response, multi-factor authentication, intrusion detection system, etc., to ensure users are protected. Build a feedback loop or reporting process to gain a better understanding of evolving employee requirements and challenges.
To summarise, start with culture at the top and focus on behaviour at the bottom. Empower employees, train regularly and run phishing simulation exercises, encourage reporting of suspicious activity or anomalies, and have metrics in place to help the organisation deliver continuous improvement.