It has been proven repeatedly that people are the weakest link when it comes to an organization’s efforts to prevent cyber-attacks that lead to costly data breaches. In fact, 74% of all breaches involve the human element – people unwittingly falling prey to threat actors either by way of error, privilege misuse, stolen credentials or social engineering, according to Verizon’s 2023 Data Breach Investigations Report.
This is why businesses, organizations, institutions, and other enterprises should cultivate and sustain a strong cybersecurity culture to successfully foil attacks and achieve cyber resilience.
A positive cybersecurity culture refers to the values that determine how individuals are expected to think about and approach cybersecurity in an organization, as defined by the UK National Cyber Security Centre (NCSC). Furthermore, cybersecurity culture is shaped by an organization’s goals, structure, policies, processes and leadership.
Security culture is not to be perceived interchangeably with workplace culture, and a positive workplace culture alone doesn’t guarantee a strong security culture.
The current landscape of cybersecurity is hyper-focused on awareness, risk factors, the increasing frequency of attacks, economic instabilities, and what’s possible next for threat actors with the rise of near-limitless artificial intelligence platforms like ChatGPT.
Fortunately, this has made cybersecurity a vital asset for all organizations, and much remains at stake, including private data, intellectual property, financial assets, reputation, competitive advantage, and internal operations. Notably, Verizon’s breach report found an overwhelming number of breaches are financially motivated (95%).
Yet, despite increased accountability and investments toward mitigating attacks, many leaders within organizations do not feel confident that their current systems and processes are effective in protecting individual employees, data and operations. While CISCO’s Security Outcomes Report, Volume 3, found that 96% of executives believe security resilience is critical to their businesses, two-thirds of respondents reported suffering major security incidents that jeopardized business operations.
However, as the report also points out, there’s a bridge between risk and resilience – cybersecurity culture. According to CISCO’s report, organizations that foster “a culture of security” see a 46% increase in resilience.
This month is recognized as National Cybersecurity Awareness Month with a theme in 2023 designed to remind everyone of how easy it is to stay safe while browsing and using the internet. With that in mind, here are six strategies for organizations to effectively build a cybersecurity culture that leads to sustainable resilience:
Start From the Top
As part of the cybersecurity program, security leaders must ensure executive leadership is on board with cultivating a cybersecurity culture. The most important aspect of security culture is for C-suite executives to set the tone for the rest of the organization. Employees must understand that they all have a role in mitigating risks and maintaining their organization’s security resilience. A strong message from the CEO at an organization’s town hall can emphasize the significance of security awareness training and how cybersecurity affects the goals and operations of the organization.
Moreover, leaders should be accountable for supporting standards, processes and policies. For example, to align leadership and cybersecurity at DeVry, we formed a cyber risk committee of executive leaders who help review and provide feedback on security policies.
Embed Security Throughout the Organization
Make sure to embed security throughout the organization. Is security part of your project management processes? When security is the foundation of all processes, checks and balances are put in place to ensure that security is top of mind for everyone involved in a project’s lifecycle. Furthermore, managers and employees are more likely to view security protocols as an important step in what they do, which aids an effective cybersecurity culture across an organization.
Practice Security Hygiene
If an organization wants to ensure that security is embedded inside the organization’s processes and protocols, then everyone will need to practice good security hygiene to build that muscle memory. For instance, do employees at all levels know how to report phishing appropriately? How often do they do it? Using questions like these as metrics will help paint a picture of how top-of-mind security is for employees, let security leaders know how often training needs to be performed to mold best practices and bring clarity to the strengths and weaknesses of an organization’s security culture.
Run Tabletop Exercises
Running tabletop exercises are important for testing an organization’s overall cybersecurity and security culture. Tabletop exercises simulate real-world cyber incidents, allowing organizations to identify flaws or weaknesses such as gaps in communication, knowledge or technical vulnerabilities. During an exercise, participants are taken through the process of dealing with a simulated incident scenario and gain hands-on training. It is beneficial for security leaders to provide tabletops to employees at all levels.
Change up Security Communication Tactics
Communication is critical to achieving a sustainable security culture. This shouldn’t mean delivering the same security messages repeatedly to employees. Albert Einstein said it best: “The definition of insanity is doing the same thing over and over and expecting different results.” Instead, it’s best to ensure that cybersecurity insights and messages are shared across the organization in as many ways as possible. At DeVry, we often use several channels to communicate cybersecurity to employees. For instance, our IT department publishes security news and tips in a newsletter format distributed to colleagues and students. We also provide security tricks and tips on floating wallpapers.
Reward Employees’ Good Behavior
Lastly, it’s beneficial to recognize and promote positive security actions taken by employees, such as incidents when they succeed in reporting phishing emails by not clicking malicious URLs. Rewarding these good behaviors can help employees understand their individual impact on their organization’s cybersecurity. Recognition helps shape security culture and allows employees to view it as a priority and responsibility.
On the other hand, when employees fail a phishing test, for example, providing just-in-time training can help them understand what was wrong with the message they received and how to spot red flags in the future.
Effective cybersecurity culture requires commitment from the top down, diverse communication, regular training and practice, individual accountability and integrating security into all processes within an organization. By taking these steps, security awareness will become embedded into the core of an organization’s culture, defining its resilience.