Over the years, we’ve used technology to secure technology, and for the most part, it’s been done to great effect.
However, we’ve not been so good at using tech to secure people. Given that humans are the primary attack vector, there’s a need to solve “the people problem,” and that starts with breathing life into an organisation’s cybersecurity culture.
According to the OAIC’s latest Notifiable Data Breaches report, human error accounted for 25 per cent of data breaches between July to December 2022. This shows there’s a need for organisations to focus on developing a culture of security best practices.
The stronger a security culture is, the more likely it is that people will behave securely and exhibit secure behaviours. To build a resilient cybersecurity workplace culture, groundwork must be laid, and an attitude that enforces secure behaviour must be instilled in the workplace.
The culture cultivated in the work environment influences the perceptions, beliefs, and values of the people co-existing in it. We can drive a positive cybersecurity culture by educating ourselves and prioritising workplace values such as positivity and collaboration. An overtly authoritative security team who use “a stick” instead of “a carrot” drive the cybersecurity culture of a workplace underground, with staff less likely to identify cybersecurity risks and more likely to see the cybersecurity team as unapproachable.
Instead, if the security team encourage people to participate and ask questions to better understand cybersecurity best practices, a more desired outcome can be achieved. Getting cybersecurity right is essential and leaves little room for error or mistakes, as a threat actor only needs one error to be made by staff to gain access to an organisation.
What can organisations do to drive a positive cybersecurity culture, without falling down along the way?
- Collaboration is key
Self-awareness plays a leading role in this endeavour, and security teams must be able to hold a mirror in front of themselves and ask, “would I buy into what I see here?” It’s a measure that requires an understanding of what people think about the security team. By asking the workforce about their thoughts on the cybersecurity team, you can gain an honest cyberculture health check and an understanding of what needs significant improvement.
These key performance questions can help indicate the organisation’s cyberculture level.
- Do people feel safe reporting incidents? Even ones they might have been responsible for?
- Does the security team receive regular communication from the workforce, such as requests for briefings?
- Do staff understand the priorities of the security team? Do they trust the security team to keep them, and the information they are working on, secure?
- Is the message getting through? If not, why? Is it too technical, too vague, or too unfamiliar?
When trying to steer the security course of an organisation, remember that emotions are vital. It’s very important to facilitate a frank discourse where employees can freely share their thoughts and feelings about everything from the security team to policies and training opportunities.
- Keep things simple
Motivating the workforce to be cyber-secure and ensuring security, are two simple goals that facilitate success. Understanding people and using simple, non-technical language, you can inspire people to do what you want without feeling like you’re burdening them. It is much easier to advise people on positive actions that can assist them in being cyber-secure than providing a list of 20 things they should not do.
- Get creative with your message delivery
Success lies in communicating cybersecurity instructions concisely and simply. Why not make it easy and tell people how much time they’ll save with a new password manager solution that can be installed using a few clear instructions? By being creative and joining forces with your HR or internal communications team, you can brainstorm engaging ways to help communicate your vision using non-technical language. Whilst writing instructions is the most effective way to communicate instructions to the broader organisation, you can make it more of an enjoyable experience for the readers. Placing instructions in a creative medium such as a comic book or on a poster is much more engaging and exciting.
The best managers will tell you that trying to rule with fear is never recommended; the same thought applies to building a cybersecurity culture. Collaborating with employees and speaking to them in simple terms, rather than cyber jargon that will just confuse them is essential. Cybersecurity is everyone’s responsibility, so make sure your entire business feels empowered to contribute meaningfully.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
