Building a strong cybersecurity culture in your organization is not only possible, it’s a necessity.
With cyberattacks spanning critical infrastructure, SMBs, retail organizations, and commercial businesses alike, addressing cybersecurity with internal users is key.
Successful internal cyber-defense programs are attainable. But, first, start from within- embody every person in the organization by taking a team approach that centers on a cultural mindset.
What does it mean to be “cyber-smart”?
Building a cyber-smart culture means continuously working to develop a robust cybersecurity program and educate all users on cybersecurity, from the intern to the CEO, to build institutional awareness of what to be on the lookout for, along with trending cyber threats. A key part of preventing a cyberattack is knowing how to recognize it and the appropriate actions to take once identified.
The human element of cybersecurity is important in achieving success, with research indicating as much as 90% or more of incidents involve human error. The truth is most computer users don’t learn about cybersecurity in school, which means they end up bringing that lack of cybersecurity knowledge and poor hygiene into the workplace. Attackers are well aware of the shortcomings in people and protection systems. These attackers’ prey on these weaknesses by reaching these users with a lack of awareness and leveraging social engineering with phishing attacks to accomplish their goals.
Building a culture of cyber defenders through your entire organization is a valuable layer of defense. Here are five tips for building a strong cyberculture:
- Layer Your Employee Training
Companies need to implement and maintain employee awareness training as an ongoing process instead of a one-time project. Cybersecurity can be complicated for non-technical users, so managers should utilize various education to be successful. Developing a cyber-smart culture includes ongoing cybersecurity training, awareness reminders. It even tests to ensure individuals know what to look out for and how to protect the data and devices they work with continuously.
A solid cybersecurity awareness program includes educating team members with cyber-education sessions, including online training modules and training videos that focus on awareness around recent threats and “how-to” cybersecurity best practices. Cybersecurity awareness videos have come a long way from the traditional, boring tutorials we might think of. Instead, many great and engaging content is now available that centers around captivating storylines, real-life incidents, and even features celebrity actors.
Research shows that the majority of malware is delivered via email. By regularly receiving phishing simulations, employees are better equipped to recognize suspicious correspondence and protect their business from a cybersecurity incident. Phishing Simulation Tools send unannounced phishing emails to employees and, if they take the bait, educate users immediately at the point of failure with a quick video and quiz. Additionally, spot-testing your team is a great way to reinforce best practices while allowing you to track and report on user performance.
Many organizations even go as far as including fun and educational cybersecurity posters around the office or share information with remote workers via digital communication tools like Slack. These posters have engaging graphics and quick tips to help reinforce cybersecurity awareness around essential terms and topics..
- Develop an Ongoing Cadence
Remember that cybersecurity is a posture and not a project. Staying in step with cybersecurity means turning your team members into cyber-defenders, and just like your health, that requires ongoing and regular training. They say it takes approximately 10,000 hours to master a skill in a particular concentration. While we can’t expect non-technical team members to become cybersecurity experts, the premise holds true: with more regular and consistent training, the more knowledgeable staff will become. Some organizations only rely on classroom style, long-form group training once per year, and perhaps one or two phishing tests each year. That’s just not enough; threats are constantly evolving, and users need to keep current with cybersecurity happenings and know what to expect so that assessing and reacting to cyber risk becomes a proactive, natural response. Develop a regular, ongoing cadence so that your program is always working and consider using automated training tools available to remove the manual burden of program implementation.
A successful program takes a top-down approach and participation by the entire organization. That’s why it’s so important managers, and executive leaders set a good example by participating in all training, following the rules, and regularly discussing the importance of cybersecurity with their teams. In many situations, executive leaders are the key targets of cyber attackers; therefore, they are the key users to be trained. Having leadership included and supportive of the program helps establish an environment of trust, transparency, and encouragement, which makes the program a better success.
- Always Start with the ‘Why?’
Believe it or not, many non-technical users are really interested in cybersecurity, and you can use this to your advantage in explaining WHY it’s important. Share stories and articles about real-life incidents, especially if they relate to your business, and discuss the widespread implications to the business, including its continuity, reputation, and profitability.
Explain why cybersecurity training and controls are in place with straight talk, not technical jargon. By relating stories and the actual impact on organizations, you can explain why your company conducts regular training and the critical need for active participation and a strong companywide posture. There is certainly no shortage of current news events on the topic. With a bit of digging, you may be able to find a recent breach or hack that could mirror your company’s business—leaving you ready to discuss with workers how this could have specifically affected your company.
Since becoming a cyber-smart defender is a new concept for many, it’s important to share with everyone why cybersecurity is so important, what the risks are in everyday work life, what steps the organization is taking to improve its profile and the benefits for everyone involved.
- Share the Results
A great way to encourage activity in your program is by showcasing the group’s achievements and presenting actual metrics. For example, a straightforward method is to share the results of the latest phishing simulation or team participation in the recent awareness training.
How did everybody perform as a group? How did they do in comparison to the last campaign or assessment? Most awareness training tools will produce reports showcasing the program’s effectiveness and weaknesses that may need to be further addressed. Find a way to share visual charts with your entire company (for fun and competitiveness). Lead by example; include yourself as the leader in the process and ensure that everyone is accountable, from the intern to the IT director and CEO.
- Use the Carrot, Not the Stick
Flip the switch: Rather than getting upset at someone’s lack of participation in your program, try to incentivize them. Some organizations provide prizes for being a great company cyber-defender. Did an employee pass your phishing campaign with flying colors? Did they complete your monthly awareness training? Offer these users a prize or some other form of recognition, like a wall of fame for exemplary behavior. Some IT teams provide gift cards, hold pizza parties, and hand out vouchers for first in line for tech support. Other organizations are going even further by tying financial bonuses to users who participate. Everyone loves friendly competition, so consider establishing one between departments to see which group ranks at the top of your cyber-defender chart.
Cyber-smart workplace culture is an essential part of a solid cybersecurity foundation. To get great traction with your cybersecurity program, you are going to need not only a layered approach but also to sprinkle some fun into the process. Consider prizes along with open discussions that clearly explain why these pieces of training are in place, and don’t forget to be transparent with results along the way.
Want more information on building an effective cybersecurity program? Check out this recent Cyber Defense magazine webinar.
About the Author
Rob Simopoulos is the Co-Founder of Defendify, the all-in-one cybersecurity platform for organizations without dedicated security teams. You can reach Rob at firstname.lastname@example.org
Defendify is a single platform designed to help streamline how organizations can build comprehensive cybersecurity policies, plans, education, scanning, breach detection, and more. This means that organizations without security teams can now achieve similar data protection as with larger enterprise companies, but without the complexity or expense of implementing multiple security technologies and hiring around the clock security professionals.