While the shift to hybrid work and the rise of interconnected systems have created new opportunities for business, this evolution exposed organizations to new and more devastating cyber threats, exacerbating the need for stronger, more resilient security measures. And while modern technology has come a long way in protecting critical data, the truth is, humans are still fallible.
According to Verizon’s 2022 Data Breach Report, 82% of reported breaches involved a human element. Cybercriminals are (still!) just waiting for employees to slip up and click on a link, or overlook a suspicious download, or respond to a CEO’s “urgent request” because they’re focused elsewhere. By cultivating good security habits among employees, you can not only mitigate the number of risks that crop up in your organization daily, but turn your team into a strong, first line of defense.
However, tackling security and considering how to implement and foster a culture of security can be daunting, especially when – as an entrepreneur – your list of priorities is a mile long. My advice? Repeat after me: cybersecurity isn’t just for the IT department.
Security culture refers to the set of behaviors or customs that a group of people takes to prioritize security in everyday operations. It’s the idea that security is everyone’s responsibility, not just something for the IT department. It involves making security best practices habits that your entire organization does instinctively. Examples include:
- Developing the habit of locking computer screens when you step away from your workstation.
- Using a sign-in app at your front desk for all visitors, whether they’re accompanied by staff or not.
- Deploying the principle of least privilege for user accounts.
- Protecting professional contact information by giving it out on a need-to-know basis.
- Having a set of security policies that all staff are required to review and sign.
Security culture helps make cybersecurity awareness second nature, letting your team focus on business while keeping the company safe.
How to Cultivate an Information Security Culture
Security culture is powerful because it addresses the blame culture approach that many organizations take. Gigaom’s State of Ransomware 2022 and Beyond report revealed that 88% of global respondents believe there is a blame culture in the cybersecurity industry, and 94% of those who recognize the blame culture said that it could also be a deterrent to the speed of reporting an incident.
When employees feel empowered to act, they’re less likely to hide potential breaches out of fear of repercussions. The following five steps can help encourage your team to embrace a security culture and assuage any legacy fears associated with a culture of blame:
- Making it About Learning, Not Consequences
Out of fear, employees may brush off suspicious activity or hide cybersecurity incidents rather than report them. Instead, if employees know the most likely outcome for them will be additional training, or reduced responsibility for when something goes wrong, they might be more likely to notify the security team.
Rather than emphasizing punitive measures for employees that fall prey to scammers, focus on positive feedback for the things they do right. That ensures employees feel good about security and empowered to act when the moment arises.
- Establish Formal Policies
Ensure your employees know exactly what they should and should not do in any given instance through the creation of formal policies to guide them.
Depending on what your company does and your industry, you may need well over 10 policies – from best practices when working in a hybrid environment to human resources, data classification and email. There are options for both a DIY/templated approach or you can work with a partner to customize policies for your business, which can include everything you need for compliance with HIPAA, SOC 2, or other frameworks and regulations. Once you’ve got the policies, you also want to make sure you establish a system to manage employee agreement, task assignment, and report on security compliance.
- Schedule Training Simulations
In a crisis, it’s easy to freeze if you don’t have a clear plan of action already determined. Live-action training like simulations, table-top exercises, and roleplaying can help staff understand how and why a security incident unfolds and what to do about it. Make these semi-frequent and use them as educational opportunities to keep your employees up to date with current threats.
Phishing simulation software can also be used as part of your training and awareness program, which can help you evaluate how your employees respond to attacks in their inboxes. Of note, in 2021, Verizon’s Data Breach Investigations Report found that nearly 40 percent of breaches featured phishing.
- Don’t Keep Security in a Silo
Part of maintaining strong information security involves promoting good communication between colleagues and departments, particularly when working in a hybrid or remote environment. Your employees should never feel shy about reaching out if they have questions or concerns. They should feel able to:
- Forward suspicious emails to the IT department or designated security team member for investigation
- Reach out to coworkers through other means if they receive a suspicious communication, like Slack, text, or phone
- Feel comfortable reporting a potential incident, unusual activity, or a breach
- Implement Security Frameworks
Security frameworks are guides that can help you secure your organization without accidentally leaving anything out. These can help you decide which policies you need, give you a benchmark for compliance, and put you in a strong position when you need to answer vendor security questionnaires.
There are many out there – SOC 2, ISO 2700K, and NIST are several popular standards for tech companies. If you don’t have a security framework yet, the CIS Controls is a good starting point – thorough while being intuitive enough for non-IT employees to grasp. Using the CIS Controls as your framework also puts you in a strong position if you later decide to adopt other security frameworks.
Leveraging a framework can also show you where any weak points or vulnerabilities stand, helping you to secure your company before those holes are exploited. Depending on your needs, you can use an internal reporting tool or a third-party auditor to monitor your compliance.
Fostering an information security culture can dramatically improve the overall security within your organization. Your employees are the frontline of defense against cyberattacks and malicious actors. Cultivating a security culture will empower them to be more discerning when they encounter potential attacks and help safeguard your organization from devastating impacts related to cybercrime.