How a cybersecurity culture eats technology strategy for breakfast
A famous phrase in business says culture eats strategy for breakfast. In other words your business objectives will not be met if your people aren't aligned, trained, and on the journey with you.
This is absolutely true when it comes to beating cyber crime.
When people think about cybersecurity, they often think of technical security measures to help protect their businesses. But it's the behaviour of employees that is critical for an organisation's cyber defence. According to a recent report in Forbes Magazine in September 2022 more than 82% of data breaches in the previous year involved a "human element."
Cyberthreats are here to stay in the digital age. Cyber crime is one of the mega-themes of the current decade. Cyber attacks are getting more sophisticated. The best and lowest cost way for businesses to protect themselves is to create a culture of cybersecurity awareness and establish clear ways that ensure employees can spot attacks as they are happening. Well-trained employees are the most effective security control. And that needs a cultural response. Not just a technical one.
So what are the key elements of a cyber culture? Well, here's three that we think are among the most important:
- It starts at the top
One of the most critical points is that it has to start from the top. Those in the C-suite need to lead by example. Executives cannot expect their employees to heed cybersecurity warnings if it is not a top priority for the senior management team and the Board.
We recently came across a large organistion that wanted to roll out cyber training for its 1000+ employees. However the CEO, and the whole Board of Directors wanted to exclude themselves from the process. This was despite them being the highest-value targets in the organisation, and having received no cyber training at all before. Their publicly-published risk register rated cyber risk as Risk No.1 affecting the company. And yet they weren't actually prepared to walk the talk at the top.
Needless to say the program didn't go so well and employee engagement was poor when the training started. Staff actively said 'what's the point if they aren't doing it?" When the Board and the Executive team eventually reversed this error and made it clear that they were personally engaged, then the whole business took notice and engagement improved massively. Over the next year the number of cyber incidents fell from overwhelming, to a small manageable number trending in the right direction. There's the proof right there if any were needed that taking it seriously at the top works.
2. Protect your business with your people.
Cybersecurity awareness training is vital for every business to protect against cyber risks. Organisations need to know that culture is core cyber security control, not an optional extra. It's a tactic and tool; and like every tool, it needs to be continually assessed, strengthened and adapted to ensure it's fit for purpose. Train, train and train again. It's not set and forget. The goal of every company should be to create a culture of cybersecurity to ensure the business develops resilience and minimises losses of all kinds - time, money and reputation - when faced with a real-life cyberattack.
Being proactive is critical as well and that's what culture does. Companies should encourage employees to jump in ad raise the alert when they think they see anything that could increase the risk of a data breach or intrusion. Employees can be empowered to remind one another not to leave their company devices unattended for instance, and to lock their screens when they leave them to prevent unauthorised access. These responses are cultural: It says 'this is the way we do things around here'. And they go a long way to protecting the business.
3. Keep it tailored and interesting
To keep employees up to date with the latest threats, the technical and executive parts of a company can collaborate with the human resources (HR) team to deliver engaging, continuous security awareness programs that are interesting and tailored for the audience.
Creating slideshows and telling people to read emails is boring and won't cut it. Instead, employees need to be directly involved in their own learning. Platforms like Cyberfi that are self-paced, interactive, richly-contented, and contain a myriad of tips, tricks and advice create conversations amongst employees, up-skill without being overly technical, and support the foundations of a cybersecurity awareness culture.
The C-suite and board members are specific groups that require tailored training to meet their unique needs and to protect the company's most sensitive information assets - Board and executive communications and reports. It's not one-size its all, and training materials and approaches can be built-upon over time to ensure everyone receives the knowledge and training they need to perform the role requited.
Like we say, culture eats strategy for breakfast. A cybersecurity awareness culture is essential in every business, large or small, if you want to get things done safely in today's digital age.