Security

The Key to Better Cybersecurity: Develop a Security Culture

Humans are creatures of habit. All in all, we do the things we do because that’s the way that we’ve always done them.

The same can be said of cultures in our society and in our workplaces.

In terms of long-term business viability, culture is everything — especially as it relates to information and data security. Culture is a key factor of whether a business can grow, and protect itself from cybersecurity risks.

In this article, we aim to outline the levers that can aid in instilling a strong security culture.

The benefits of security culture

A strong security culture is both a mindset and method of operation. One that’s integrated into every employee's day-to-day thinking and decision-making can make for an almost impenetrable operation. Conversely, an absent security culture will lead to uncertainty and, ultimately, cause security incidents that you and your organization cannot afford.

According to the U.S. National Cyber Security Alliance, 60% of small businesses cannot sustain their businesses beyond six months after a cyber-attack.

Ira Winkler, author of Advanced Persistent Security, believes that every organization already has a security culture that’s either weak or strong. Ira defines security culture as the result of consistent behaviours by individuals within an organization.

But how do you get employees to adopt security focused behaviours? There are a few key principles that can keep security at the forefront of your employee’s daily routines.

  • Ingrain the concept that security belongs to everyone.
    Many organizations have the opinion that Security or IT departments are solely responsible for security. But in reality, a sustainable security culture is the responsibility of every employee.

    A reward system that’s tied into compensation can serve as a great motivator along with periodic security training. The key is that everyone must be on board.

    In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by employees. Learn how to protect your organization from insider threats.

  • Embrace organizational security top down.
    It all starts at the top. Executive leadership on security is essential for garnering employee buy-in. Executives must also communicate and set priorities with middle management and to encourage employees to integrate security practices every day. Additionally, the C-level should be held to the highest standards in the business to set the right example.

  • Make security engaging and fun.
    People often associate security with boring training or someone saying noall the time. To develop a sustainable security culture, build engagement and fun into all the process parts. If you have specific security training, ensure that it is not a boring PowerPoint presentation.

    Gamification reinforces learning and encourages desired behaviours in fun simple ways.

One way to gain employee buy-in into your security culture is to reinforce positive actions through an incentive program. There are some simple choices you can immediately implement to start influencing security attitudes across the organization, including:

  • Make security awareness a component of annual employee reviews and require employees to meet a certain standard to be eligible for a promotion.

  • Find polite ways to call out employees who aren’t representing a security mindset. For example, when an employee leaves his or her computer unlocked, teammates can send an all-staff email or Slack message saying “Hey team, I’m buying lunch for everyone” from that person’s computer.  

The risks of not focusing on security are well documented. Breaches can cost companies customers, degrade the brand and harm the business. At the other end of the spectrum, creating a strong security culture can actually help a company carve out a differentiated market position.

Wherever your organization sits on the security culture spectrum, there are always things that can be done to make the culture better.

So, do what’s right and get started now. Security culture takes time to develop.

 

New call-to-action

 

Subscribe

to get more from Hockeystick.

Keep exploring Security

The Newest Face of Corporate Trust and Responsibility

Recent high-profile data breaches like Cambridge Analytica have put the pressure on companies to develop new ways to protect consumer data while also building corporate trust.
Read More

The Key to Better Cybersecurity: Develop a Security Culture

Cybersecurity is a team sport. In this article, we will aim to outline the levers that can help to instill a strong security culture.
Read More

This is What You Need to Know About GDPR (SlideShare)

The EU's new General Data Protection Regulation (GDPR) will enter into force this year. Is your startup prepared?
Read More