Cybersecurity is a top priority for all organisations, but any system will only be as strong as the people who use it.
In a world where data breaches can cost millions in fines and disrupt entire countries, it’s more important than ever that companies implement a systematic Security by Design approach, thinking of the security implications of everything they do, including the habits of their employees.
Analysing the culture and behaviour of an organisation, not just the physical and virtual security systems, provides a clearer idea of where vulnerabilities might lie. Addressing the human dimension of cybersecurity often involves significant culture change, with the goal of reinforcing security as a priority for all employees, not just the IT team.
How do you build a culture of security?
1. Change the language and training around security
Businesses need to help their employees learn how to do things differently and train them to think of security as a business priority. Researchers have found that our working memory capacity is between three and five ‘chunks’ of information. This number starts to decline in our 30s, so a safe working figure is probably four chunks of information that the majority of your employees are able to keep in their short-term memory at any point.
What does this mean for security? Basically, we need to keep things simple and easy to remember.
Factsheets and training days may have their place, but on their own they’re not enough. Consider instead a strategy that uses a combination of continual awareness testing and roleplaying worse-case scenarios, to make security something that’s embedded as a mindset.
2. Make security training and reinforcement part of regular meetings
In the manufacturing industry, it’s standard practice for daily or weekly team meetings to start with a section on safety. This is the kind of behaviour we should adopt for security practices, too. A regular update on new threats, suspicious activity, and a reminder of best practice is a great way to constantly remind people of their role in the organisation’s security. Engagement and repetition are effective ways to continue guiding a change in behaviour.
Consider new and different ways to train users. People respond in different ways to learning, so consider creating more engaging learning tools, such as short videos, showing real-life security situations. Humour can work well, too. The best training materials transform concepts into something more personal and relatable. They can be coupled with some broader training, such as IT-controlled phishing attempts, that can provide measurable results over time, showing the resilience of the global organisation to widely distributed attacks.
3. Invest in proactive, not reactive defence
Organisations need to get more proactive when it comes to defending their systems. Threat intelligence should cover the internet as a whole, including the Deep and Dark Nets.
Find out who’s interested in the company. Look for entities that are buying and selling the organisation’s credentials. Businesses need to know where the potential threats are coming from and how they’ll know when they’re being attacked. With this information, the business can give employees the information and training they need to modify their behaviour and learn positive security habits.
4. Establish a cybersecurity centre of excellence (CoE) and communities of practice (CoP)
CoEs act as sparring partners, allowing businesses to test solutions and assumptions around products, services and solutions.
CoPs take this work to a larger audience, allowing employees to form communities to keep them up to date on the latest threats and remind them about their responsibility in keeping the network safe.
You could consider activities like workshops featuring security professionals with expertise in specific areas, to drive collaboration and discussion around security concerns.
5. Stress-test your preparedness
Tech teams are used to stress-testing systems against online threats. In a culture of security, these tests include employees to account for human behaviour and error. Run regular simulations of cyberattacks to identify problems with the tech response and see how people respond.
Businesses can see how well their new culture is working by simulating something like a social engineering or spear-phishing attack.
No matter how much you prepare, someone, at some point, will make a mistake. We’re human. But with the right culture, where employees put security at the heart of everything they do, you can reduce the risk of a catastrophic security breach.
Julien is a partner at ISG and leads its digital practice in the South Europe and Middle East Region. Having been involved in more than 80 successful engagements in IT performance assessment and sourcing strategy, Julien brings his clients long-term experience and insight that draws from working with ten of ISG’s largest global clients.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.