Do your employees complain about having to take information security training courses? Are they still practising poor data protection practices?
If so, you have a poor cyber security culture and are liable to suffer a data breach sooner rather than later.
Lax practices in the workplace mean it’s not just cyber criminals you should be concerned about but also breaches caused by employees misplacing or stealing sensitive information.
Poor security awareness among employees also makes it easier for scammers to trick employees into handing over their passwords or clicking malicious links, which will infect the organisation with malware.
Let’s take a look at how organisations can create a strong cyber security culture to combat those risks.
Building a culture of cyber security
There’s a common misconception that cyber security is purely something that IT should deal with. But that’s clearly not true. Everyone in your organisation, from the board to the reception desk, plays their part.
When you realise that, you’ll see that it takes broad approach to cyber security to ensure your practices are successful. As Kai Roer, author of Build a Security Culture, writes, many cyber security programmes fail because the person responsible attempted to create the entire thing themselves.
That’s clearly unfeasible – at least in organisations with more than a handful of employees – because no single person will have a clear understanding of the requirements of every member of staff.
Thinking that they do downplays the complexities of information security, and sets the organisation on the wrong path.
Organisations should instead get the input of each department on the ways they handle sensitive information and the places its stored – on desktops, laptops, removable devices, in the Cloud, etc.
Want more expert discussion on boosting your workplace’s attitude towards cyber security?
This will probably be a more extensive process than you currently have, so you’ll need a bigger budget and, by extension, board-level approval.
Some senior staff aren’t easily won over by the argument that ‘better cyber security prevents the risk of a data breach’, because they don’t realise the scale of the threat. If their organisation hasn’t been breached so far, then why should they change their approach?
That’s obviously false reasoning. Just because you happen not to be among the 61% of organisations to be breached last year, it doesn’t mean you won’t be so lucky in the future.
So you might consider persuading your bosses that the threat is real and that it’s only a matter of time before disaster strikes.
Alternatively, you might want to focus on the benefits of investing in cyber security. You’ll be more efficient for one: there’ll be a decrease in lost laptops, phones and files. This will also save you money replacing equipment and fixing mistakes.
You can also use your newfound security culture to win over businesses – particularly if you follow the practices outlined in ISO 27001, the international standard for information security.
Partners will be keen to work with organisations that can demonstrate their commitment to certain security practices, and a strong security culture is the culmination of these efforts.
Effective security will also help you keep data subjects and regulators satisfied when it comes to potential GDPR (General Data Protection Regulation) violations.
So, how can you get started building a security culture? Here are our tips:
7 tips for building a security culture
1. Consider your requirements
When it comes to staff awareness, the ‘one-size-fits-all’ approach isn’t appropriate for all organisations. For your staff awareness training programme to succeed, you’ll need to first consider the diverse needs and culture of your business and tailor the training accordingly.
2. Set metrics for success
Before you implement a staff awareness programme, you need to ensure it can succeed and decide how to measure that success. This means you must decide on the metrics you will use and take measurements to determine a benchmark before you start.
3. Be thorough
Staff awareness training for the GDPR does not mean simply briefing your employees about the Regulation. Instead, it should comprise a thorough programme that ensures all employees understand your organisation’s practices and procedures for processing personal data.
4. Engage your staff
Engaging staff training is critical to your programme’s success. Incorporating thought-provoking activities will give your staff a clear understanding of the key changes introduced by the GDPR and the requirements that will affect their day-to-day work.
A common technique to make security awareness programmes more engaging for participants is ‘gamification’, which uses behavioural motivators taken from games such as rewards, competition and loss aversion.
5. Focus on behaviour, not knowledge
To change their behaviour, employees need to understand how the content applies to them in their everyday roles.
To bridge the gap between knowing and doing, it’s essential to provide your staff with context for what they are learning and realistic examples they can follow. Doing so will help foster a much-needed cultural shift in which security becomes a part of everyday operations.
6. Time it right
There may be an urgent need to train your workforce, but this doesn’t mean your awareness programme should be deployed in haste. Instead, consider a phased rollout, allowing you to meet some immediate requirements, after which you can refine and improve the programme.
7. Play the long game
For long-term success, your staff awareness programme should be an ongoing process that begins at induction and is reinforced by regular updates throughout the year and/or whenever staff-related security incidents occur.
A cyber secure culture is built from the top
Cyber security may well be everybody’s responsibility, but staff aren’t going to create a cyber secure culture on their own. Senior staff must take the initiative and understand what they should be doing to address cyber security risks.
Our Cyber Security for Executive Management Live Online Training Course explains the threats that your organisation faces, such as malware and social engineering, as well as the risks associated with some of the policies you might have in place, like remote working and the use of mobile devices.