Creating a Cyber Security Culture…
We’ve been banging the drum for increased awareness of Cyber Security in the workplace, for what seems like forever.
Thankfully we’ve been fortunate enough to help some large organisations bolster their Cyber Security defences – which we have achieved by focusing primarily on their employees.
Human error remains the dominant cause of data breaches – data breaches that not only cost organisations a great deal of financial damage, but reputational damage too.
And it is not malicious deliberate acts from employees that are posing the greatest security threats to organisations. No, instead it is their employees’ lack of awareness of potential threats, and their subsequent risky behaviour, which poses the greatest danger.
It’s a frustration of ours that organisations invest heavily in technological solutions to help guard against cyber threats, and seem to forget about their employees. While in no way are we saying that they should not be investing in technology – what we mean is that they should also be investing in the people part of the problem. Which will clearly reinforce and back up the technological investments being made.
It is therefore very much about creating a cyber risk-aware culture. A culture in which employees are able to recognise potential risks, understand the correct behaviours to take to guard against the threats, and know exactly how to respond when incidents do occur.
When it comes to cultivating a cyber risk-aware culture, we believe there are three main elements organisations should be focusing on.
Cultivating a cyber risk-aware culture
It is still leaders who are largely responsible for the setting of culture. Therefore leaders must lead by example by showing just what is required from other employees.
Leaders must be fully aware of all cyber security threats, and be able to demonstrate this understanding to everyone else in the business. They should do this through consistent communication, collaboration, and the sharing of relevant news and information from the monitoring that should be continually being undertaken on security threats.
This is an important method for increasing initial awareness of cyber security. It should begin as early as employee on-boarding, and then continue throughout an employee’s entire lifetime – delivered at on-going regular periods.
The goal here really is to help shape behaviour – by educating employees on how they should be behaving, and the importance of doing so in relation to risky situations.
We’ve found that training is most effective when done in more informal, non-traditional ways –
especially given that the subject is widely perceived as being dull and dry in nature.
We’ve actually employed digital games, and have had great success with them as a training tool.
What goes hand-in-hand with training (to increase awareness and change behaviour) is communication.
As we’ve already stated, communication from leaders helps to shape culture. But additional internal communications are also needed to continually reinforce the desired organisational culture too.
What we always seem to find is an ‘it’ll never happen to me’ kind of view from employees. Furthermore, employees don’t think they’ll be affected directly – so they think the organisation can deal with any issues that may arise from a security breach.
Success therefore comes when you can connect employees to cyber security on a personal level. By focussing on exactly how cyber risks CAN directly impact them and their life – even their family, friends and loved ones.
This is where storytelling becomes so important. Stories that engage on a human level, and which employees can relate to, become powerful tools for change.
These stories are able to highlight the threats, show the consequences that can occur when the required behaviour is not demonstrated – all while further educating and reinforcing what is being learnt in training.
So the above are the three main areas we always focus on when we’re briefed to improve cyber security at an organisation.
But as you can imagine, before you can begin work on the those three areas, there are a few other things you need to do, things that will inform the approaches you take within the three main areas.
How to get started with building your Cyber Security culture
Honestly, the best thing you can do now is to just pick up the phone and give us a ring. We’ve got so much experience when it comes to Information Risk Management campaigns, that we’re able to bring a wealth of knowledge and understanding to your Cyber Security campaign.
But if you still need a little bit more convincing. Below are some of the things we’d do if we were you, at the very early stages:
1. Identify the threats that your program will be focussed on.
Here you need to sort of check the current pulse of your organisation when it comes to cyber security. You’ll need to prioritise all of the potential threats. And also make sure that you fully understand your organisations current culture, so that you can incorporate this into creating an appropriate Cyber Security culture – one that fits in with your values and mission. Therefore it is a culture that your employees can relate to.
2. What will your cyber aware workforce look like in the future?
In a nutshell, you’ll need to decide what you will need in order to create your desired cyber security culture. This’ll involve looking at the structures needed to put in place. Such as roles that will need to be created and relevant people appointed. And of course how everything will be managed – training, procedures etc.
3. Develop a plan to get from where you are to where you want to be.
Once you’re clear on the current state of your cyber security culture, and how you want it to develop, the next step is to begin planning.
You’ll have short term and long term plans. Short-term plans will involve high priority behaviour change – those behaviours that are posing the greatest risk to your organisation. And it’s important to try and nab yourself some quick easy-wins here. This’ll allow you to make a good early start on building your preferred culture.
Two other key considerations
1. Multi-channel approach
You don’t need us to tell you that in order for you to reach your intended audience, you’ll need to use a number of different channels to do so. Any good IC pro will be able to identify the different channels that are best used to reach different members of your organisation. And as we mentioned earlier, use different formats and platforms so as to engage employees – just like we did when we used mobile digital games as a training tool.
2. Segment employees
We’ve talked about segmentation in internal communications a few times before. And we feel nowhere is it more important than with Cyber Security.
You can’t expect to use the same training or comms messages on both an I.T worker and a regular office worker. Clearly their different roles and responsibilities will mean they’ll be exposed to different levels of cyber security threats. And so training and communications need to be tailored to their position, understanding and needs.
Furthermore, you can’t lift a solution that was used at one company and plant it down to be used in another. It just won’t work. There is no one-size-fits-all solution when it comes to cyber security.
Any large culture change, takes time. But when it comes to improving your organisations ability to guard against cyber threats, focussing on your employees is a cost effective long-term solution that you just can’t ignore.
And like we said earlier, if you’ve no yet begun work on creating a cyber risk-aware culture, then you must start – immediately.
And while we may have outlined the ways you can begin. Embarking on something of this size can seem daunting. That’s why we’d love to partner with you on your journey. And what with the amazing experience we have operating in this space, we’re sure by giving us a call, you’ll soon realise that was the best call you could have made.
Until next time…