Building a Strong Cybersecurity Culture in Your Organization

July 30th, 2018
Building a Strong Cybersecurity Culture in Your Organization

You've seen the headlines. Cybercrime is on the rise. Hackers are getting smarter. Cyberattacks are happening every day. As a business professional, you know that data theft and cyberattacks aren't just happening to big businesses anymore. And it’s not a matter of if they happen to you, it’s a matter of when.

That's why you've invested in the security of your network with advanced technologies and software to keep the bad guys out. But technology alone won't help you overcome the weakest link in your network - the people you entrust to run your business every day.

While cybercriminals are getting smarter, it isn't their ability to infiltrate your technology that should worry you the most. It's their ability to convince your trusted employees to click on a malicious link, open a booby-trapped attachment, or reveal key company information. That’s the ability that makes them such a serious threat.

The truth is that it doesn't matter if you have the best lock in the world, if someone leaves the door open.

So how do you build a strong cybersecurity culture in your organization? How do you make sure everyone knows they need to keep the door closed at all times?

Cybersecurity Starts at the Top

First things first… you need to embrace the idea that cybersecurity is NOT just an issue for your IT team. Cybersecurity should be the responsibility of your company’s entire leadership team. Leadership at your company is responsible for leading, and this is just as true for cybersecurity as it is for eliminating sexual harassment and hostile work environments.

You and the rest of your leadership team have to set the example of a cybersecurity culture and promote that culture by:

  • Actively engaging in cybersecurity decision making
    Is leadership at your company expected to actively engage in decision-making for processes? For growth strategies? For loss prevention? For customer satisfaction goals? Cybersecurity is every bit as much of a risk to your business as a bad growth plan or processes that waste time and money. With one major difference… it has the potential to happen in every single department, across all managers and team members. Every one of your senior leaders need to view cybersecurity as an opportunity for more risk-management practices in their department.
  • Promoting the idea of cybersecurity in their team
    You’ve likely put a lot of thought into creating your company’s culture and a lot of effort into cultivating that culture. And you’ve just as likely expected everyone in leadership to put just as much thought and effort into it. Why wouldn’t you expect your leadership to also promote cybersecurity?

And It’s Most Important at the Top

It can’t stop there, though. Your executives need to realize they themselves are your company’s biggest targets for cyber-criminals.

Partially because they are the most likely to have, or have access to, high-level data, but also because they are the most mobile and more likely to be working away from the office. As one security report points out, CEO’s are most likely to be hacked when working outside of the office.

As people who are both in possession of the most sensitive company data and the most available to hackers, your leadership is the ideal target for a hacker.

Changing how your company’s leadership team thinks about cybersecurity is the first, and most important, step in creating a cybersecurity culture.

Cybersecurity Is Everyone's Job

Too many people tend to think of cybersecurity as something that is separate from our day-to-day responsibilities. It's something that happens ‘over there’ in the IT department. But the reality is that every employee can affect how secure the company is by what they do or don't do every day.

To develop a strong cybersecurity culture, you need to convey the fundamental truth that security is everyone's responsibility. In fact, security needs to be baked into everything a company does and tied to each employee's job responsibilities.

Add Cybersecurity to Your New Hire Onboarding Process

Not everyone that you hire is going to come from a previous company that embraced and valued cybersecurity as a culture. Or even as a process. To make sure every employee is trained in proper cybersecurity procedures, specific to their job, from day one, add that training to your new hire onboarding process.

Here are a few of the basics you should review with your new hires:

  • Password policies
  • Mobile device policies
  • Data storage policies
  • Ongoing cybersecurity training
  • What to do in the event of a cybersecurity incident

Let them know from day one that they are coming into a company where cybersecurity is so important, you train them on it before you even put them in front of a computer or mobile device.

Build Security Awareness through Regular Education 

If we're going to make everyone responsible for cybersecurity, everyone needs to understand their role and how they can help. That's why it's so important to build awareness around security and go over key concepts on a regular basis. Since security threats change constantly, scheduling security education on at least a quarterly basis is essential.

Continuing education should focus on:

  • The dangers of clicking potentially malicious email links
  • The dangers of accessing data from unprotected networks, such as public Wi-Fi
  • The potential problems with browsing insecure websites
  • The importance of using strong, unique passwords
  • Software to avoid
  • The company's specific cybersecurity policies and protocols
  • Current scams and threats making the rounds

We recommend working with your IT service partner to identify potential security threats and develop security education that addresses those issues.

Make Security Training Fun & Engaging

Of course, none of your efforts are likely to succeed, if you don't make the process of embracing a security culture engaging and fun. While security is a serious topic, there's no reason that the education process needs to be a series of boring lectures or dull PowerPoint slides.

Using your imagination and a bit of creativity can go a long way to helping your team not only remember the concepts presented, but actually implement them in their day-to-day jobs.

Our top tips for effective cybersecurity training:

  • Make it easy to understand and short
    Do you remember how hard it was to stay awake when that monotone college professor stood up there and droned on and on… and on… and on? You probably weren’t always successful at it. You certainly weren’t likely to actually learn and digest what that professor was trying to teach you. And your employees are no different. Keep it short and sweet.
  • Make it interactive
    77% of employees learn better from game-based training. Use gamification and interactive elements like points, badges and leaderboards to encourage your team to take what you just taught them and actually use it outside of the training.
  • Reward them
    Even if you decide not to implement any type of game-based challenge, you should still reward your employees when you see them implementing something from your cybersecurity training. It doesn’t have to be big rewards either. Sometimes the most valued reward is simply a hand-written note thanking them for being conscious of the company’s cybersecurity and praising their efforts.

Other ideas you can consider to keep your training fun and engaging are regularly scheduled “lunch & learn” events. These short meetings can keep employees up to date on the latest threats, while giving them free food and a little bit of socializing with co-workers. (The free food never hurts either.)

Or schedule mock tests like phishing simulations to see how many employees take the bait. Occasionally, you might even consider going all out and creating a movie, game, or political theme for your training events.

You get the idea. Make it fun and it becomes something they actually want to pay attention to instead of sneaking in some Candy Crush time on their phone.

Keys to Sustaining a Supportive Security Culture

Laying the groundwork for a strong start towards cybersecurity is great, but a cybersecurity culture will not grow on its own. The process must be nurtured and fed in order to thrive and truly become part of your organization.

Here are some things you can do to nurture the process and continue to improve.

  • Don't Enforce Accountability Before You've Developed Awareness
    Give your team time to absorb your training before imposing accountability. You don't want to cultivate an "us" versus "them" attitude, where employees are pitted against one another. Or worse yet, against management.
  • Embrace mistakes
    Everyone in the company will make a mistake when it comes to security. And you don’t want employees trying to hide their mistakes. Encourage everyone to ask for help when they make a mistake. And to help when others have made mistakes. When employees can band together against the bad guys, everyone wins.
  • Don't Hide Security Mistakes
    When mistakes happen, use them as a teaching tool, rather than sweeping them under the rug or placing blame. This transparency highlights the need for continuing training, and provides opportunities for improvement.
  • Encourage Employees to be Part of the Solution
    Part of developing a supportive security culture is giving everyone a chance to express their concerns or offer suggestions. Give them the opportunity to ask questions or even propose an alternative way to accomplish your goal. This creates an inclusive atmosphere that gives employees greater ownership of the process.
  • Reward and Recognize Employees
    Be sure to recognize employees who do the right thing. Host monthly contests that reward security milestones to keep employees engaged. Recognize employees who have discovered a new phishing email or averted a security crisis. Reward them with lunch or a gift card. Take pride in them and celebrate their accomplishments!
  • Break Up Silos to Promote Better Communication
    To promote cybersecurity as a collaborative need, break down the barriers between departments wherever you can. This encourages employees to discuss their challenges with one another and often leads to better security awareness throughout the company.
  • Identify “Security Advocates” within the Organization
    Identify and take advantage of employees who are enthusiastic about security issues. These security advocates can provide on-the-spot training to co-workers to keep security training on track and provide motivation for others to follow their example. You might want to even consider providing advancement opportunities to employees who truly have a passion for security by investing in advanced training or degree programs.
  • Regularly Evaluate Both People and Technology and Share the Results
    Create systems and procedures to regularly evaluate both people and technology and share the results with your staff. This helps establish a baseline, track improvement, and provide transparency, so everyone understands the needs and goals of the company.

While it won't be easy, building and sustaining a strong cybersecurity culture in your organization is well worth the effort. Technology and software have their place in the war against hackers and data theft, but having all eyes on deck will help you discover potential threats sooner, respond more quickly, and keep your network and your business safer in the long-run.

Antisyn is here for all of your IT needs

Want to find out more or have questions about developing and implementing a full IT strategy for your company? Antisyn is here to help for Jacksonville area businesses. Our IT services include full IT support, IT strategy, and cybersecurity services. Reach out to us and see how our passionate team can help your business.