The importance fostering a culture of cybersecurity

With cybercriminals becoming increasingly sophisticated and determined, it pays to have everyone singing from the same hymn sheet.

By Tim Ferguson

Tue 25 Sep 2018 @ 16:55

Most companies will have an in-house cybersecurity team and a range of vendors dedicated to the task of keeping the organisation secure. But another important source of support should come from the people who make the company tick: The general workforce.

There is only so much the IT security team and security technology can do to prevent a breach taking place. With cybercriminals becoming increasingly determined to access networks through rapidly evolving and ever-more sophisticated cyberattacks, perimeter protection is no longer enough. As a result, it’s now essential to put technology in place to detect nefarious activity and to contain and stop it as quickly as possible.

But organisations shouldn’t be complacent and believe that, just because they have the latest cybersecurity capabilities in place, they will be immune to compromises. If they are, the investment in security technology may be wasted.

Companies that fail to make cybersecurity part of the corporate culture are leaving themselves open to risk that technology won’t necessarily be able to pick up on or contain. This is particularly true given the increasingly mobile workforce employing external wi-fi to access internal documents, working from home and using their own devices and cloud services.

A recent Forbes article outlines what companies should keep in mind when trying to promote a culture of cybersecurity effectively across their organisation. This includes focusing on people and creating a baseline of understanding.

On a basic level, there are certain threats that can be effectively stamped out if security becomes embedded into the way in which employees do their jobs. The success of phishing and social engineering attacks could be significantly reduced if employees consider the security implications of responding to dubious emails or downloading items that they can’t validate as being genuine.

In addition, knowing not to use unsecured networks or share passwords is a basic hygiene necessity. Indeed, carelessness by employees, such as the reckless transfer of data to portable storage devices, can lead to major issues, as can skipping basic security steps for the sake of convenience. There are safeguards that can be put in place – for example, two- or multi-factor authentication for applications – but making people think more about security will always be beneficial.

A general awareness of what employees should look out for during the course of their work can also be important. For example, if a colleague has placed confidential documents into their own cloud storage, alarm bells should ring. Likewise, colleagues should start asking questions if unusual changes appear in a document stored in a computer folder that only a handful have secure access to.

Obviously, you don’t want a culture of suspicion. But you should want one in which employees are informed and vigilant, meaning they pay closer attention to how businesses data and information is used and where it is located and moved to.

Building a cybersecurity culture essentially boils down to training and awareness. However, this is no easy task: Research by IT management product provider Solarwinds found that more than a quarter of UK businesses said that inadequate end user security training is one of the main reasons why they felt vulnerable to cyberthreats.

But there are ways to make training more effective, such as CBT training, open discussion forums and gamification. Looking at gamification, which Gartner defines as “the use of game mechanics and experience design to digitally engage and motivate people to achieve their goals”, there is evidence to suggest it works.

Working with a gamification consultancy, carmaker For created an online training community with levels, badges and trophies that encouraged friendly competition among staff members. The community had more than 100,000 unique visits the day it went live. Similarly, Deloitte incentivised cybersecurity awareness by creating communities on its own learning portal that encouraged employees to enter into friendly competition with peers, with high performers being recognised as ‘security champions’.

Companies that fail to make cybersecurity part of the corporate culture are leaving themselves open to risks that cybersecurity technology won’t necessarily be able to pick up or contain.

Organisations need to adjust their culture with policies that reflect the changing ways in which staff access work information, and provide training that has an impact. If they can do this, they stand a much better chance of keeping threats at bay.