The ways organizations should go about establishing a strong internal cybersecurity culture was discussed by a panel during the Tech Predictions Mini Summit.
The speakers firstly acknowledged that cyber-criminals are increasingly exploiting the lack of security awareness amongst staff to target organizations. Javvad Malik, security awareness advocate at Knowbe4, outlined social engineering attacks and credential stuffing attacks as among the main vectors he sees employed, methods which trick users into clicking on a malicious link or giving away crucial information.
Marianna Pereira, director of email security products, EMEA, Darktrace agreed, noting that “what we are seeing is that attackers are really tapping into those basic emotional responses that we’re prone to have, whether it is a sense of urgency, fear, doubt and uncertainty.” She also observed that criminals are leveraging trust in these attacks, for example by gaining access to a corporate email account to send phishing links to unsuspecting customers. “The recipients will trust the source and therefore be more likely to engage with that,” she added.
Recognizing that staff are often the biggest risk to organizations, and taking steps to improve basic cybersecurity understanding and behaviors, is therefore critical. Martyn Booth, CISO at Euromoney Institutional Investor, said that simply outlining secure behaviors is not enough; to create real change staff need to appreciate why such practices are important in order “to bring them along the journey.” With this in mind, at Euromoney, sessions have been brought in that show staff how they can be more secure in their personal lives “in the thought that they will bring that with them to work.”
Being able to communicate well with various personnel throughout an organization is a crucial component of building a strong cybersecurity culture, according to the panellists. The first step is to tailor language appropriately. “Remember that context is everything,” explained Pereira. “If we’re communicating to executives about the risks it’s important for us to put it into the context of why this matters to the business, what is the consequence of not doing it. When we’re talking to the different teams, I find it’s helpful to find use cases and real examples that they themselves have been involved in.”
Malik stressed the importance of being especially mindful of the kind of language used by security teams when addressing non-technical personnel. He even suggested that it might be helpful to work with marketing teams to ensure the language is fully accessible when creating policies and procedures. Ultimately, the purpose is to change behaviors rather than simply providing information. “Often security teams aren’t the best skilled people to deliver that message so collaboration with marketing or communication professionals to help tailor that message to an audience is very useful,” he stated.
However, Booth disagreed with this point, saying that “the onus should be on the security professional to be better at the information that they share.”
The panellists went on to discuss how security teams can become more approachable within organizations, becoming viewed as an enabler and working to find solutions with employees rather than being a department that says “no.” Part of this involves acceptance that errors can be made and encouraging employees to come forward and report issues they see, enabling security teams to take quick action. Malik commented: “If we blame or try to shame people for clicking on a link then they’ll be reluctant to come forward – they’ll make up an excuse.”