Many organizations are beginning to think of security as more than just being reactive to IT security issues, to being proactive, anticipating and planning for security issues, and building a culture that makes cybersecurity a top priority company-wide. According to a recent Forbes magazine article, building a strong cybersecurity culture is the most critical element in an organization’s security strategy.
This article will highlight the growth of cybercrime issues and how often, employees unknowingly cause those issues. It will also define what a culture of security is, its importance, and finally how to help foster that culture of security company-wide.
We’re all human, but we can all work together to reduce cybercrime
According to the Verizon 2021 Data Breach Report 85% of data breaches are caused by social engineering or human error. This makes it clear that organizations can’t afford to neglect the importance of the human side of cybersecurity.
People are every organization’s weakest link, but also its greatest asset. It’s important that every organization have a strong defense and create a “human firewall” to guard against cyber threats and any other potentially malicious activity.
What is a culture of security and how can you help foster it?
So exactly what comprises an organization’s security culture?
It’s the beliefs, customs and behaviors of employees and leadership that influence its security. A sustainable security culture is one where organizations intentionally and actively work to establish security-related values. Instead of just enforcing cybersecurity training and requiring new employees to sit through long cybersecurity training sessions, companies need to establish a culture of security; a culture where values are demonstrated by employees and leadership in a way that new employees see it and emulate it. Everyone in the organization needs a “trust but verify” philosophy at all times.
Dispelling some common myths about building a culture of security
Attitudes about cybersecurity can’t be changed without executive buy in and support. Cybersecurity isn’t just IT’s responsibility. Rather, security should be viewed as the responsibility of every employee. All employees need to work with the organization and IT department to keep the company safe. If employees believe data security is only IT’s responsibility, they won’t understand the role they play.
Many employees think they aren’t important enough to be the target of cyber attackers, but all employees could be a weak link that exposes sensitive company data and provides bad actors with an “in” to the company. By dispelling these types of misconceptions, organizations can help employees understand how data security applies to their role in the company as well as their life at home. Security awareness is not something you can just set up and then forget and leave behind. It is an ongoing effort.
These are just a few examples of what WIN does to help create a culture of security
- Emails sent to individuals in the company contain reminders to hover and verify links.
- Co-workers reach out to one another through a second means of communication to verify an attachment is legitimate before opening.
- Each month the security team provides a security update during all-staff meetings.
- A clean desk policy ensures no sensitive data is left out in the open.
- Company policy requires that all users lock their computers when they walk away.
- Reporting phishing emails and the reporting of other suspicious events are celebrated.
- Security training is continuous.
- The security team helps staff understand that attackers are very deliberate to hide malicious activity. It is difficult for a user to know if an attachment or website did something malicious, but the sooner IT can respond to a potential security event, the less damage the attackers can do.
- Company leadership creates an environment that makes users feel safe and encouraged to report mistakes and potential compromises.
Building a culture of security involves more than just simulated phishing emails
Creating a culture of security is more than just learning how to identify phishing emails. It also includes physical safety, such as who is allowed to enter the building and what should be done with IT equipment that is found at the office or is received in the mail, for example a USB drive.
Ready to learn more?
If you have questions or you’d like to learn more about creating a culture of security, get in touch with us for a no-obligation consultation.