How to Create and Maintain a Company-wide Cyber Security Culture
In corporate culture today, cyber security often feels like something only the IT department needs to worry about. It barely registers on staff consciousness, and probably only as a sense of annoyance that their password needs to updated so frequently.
The trouble with this lack of awareness and overall attitude, is that staff are often the weakest link in a company’s cyber security plan. No amount of systematic protections can stop a staff member from clicking a link in a phishing email, or connecting their work laptop to an unsecured network. In fact, 95% of all cyber attacks occur through human error.
The only thing that can stop these unforced errors is to engrain a company wide cyber security culture. Every person in the company, from the CEO down, should be aware of risks, and most importantly, they need to understand how their actions can lead to catastrophic security breaches. Hackers move faster than companies do, so it’s important to maintain a culture of risk awareness.
So how can an awareness of the importance of cyber security be instilled into your company? Let’s look at what cyber security actually involves, where the weakest link is (hint: it’s your staff) and how to improve security through training and awareness campaigns.
What is cyber security for business?
Cyber security is critical in the digital age. Billions of pounds of commerce is conducted online every year. It doesn’t matter if you company has a very small slice of that pie or if you have a multi-million pound turnover. If you have confidential data stored digitally, you are at risk.
Cyber security can be very comprehensive. Strategies can be in place to protect the OSI 7 layers:
- Physical: the actual hardware you use
- Data Link: how the data is transmitted between points
- Network: building and managing the internal networks your company uses
- Transport: protecting how the data moves within the network
- Session: managing how data is transmitted between 2 points over a period of time
- Presentation: translating data between a network and an application (e.g. encryption, encoding)
- Application: resource sharing, remote access, the information on screens your staff interact with
This is all well and good, but there is also an ‘8th layer’ – your staff. No matter how well you structure your cyber security to protect against incursions at any point technologically, a staff member can undo it all by a clicking a single link on a fraudulent email.
Why is this so important? In 2015-16 alone, almost a quarter of businesses in the UK saw misuse of their company systems. It’s likely that this figure is higher, as there is a tendency for companies to underreport IT and security issues. In Q1 2016, the quarter-to-quarter increase in phishing emails was almost 800%. Ransomware grew 300% year-on-year, becoming close to a billion-pound-a-year problem. The notable point here is that hackers have realised the easiest way in is through human error.
What are the most common consequences of security breaches for business?
- Brand/reputation compromised
- Intellectual property theft
- Financial losses
- Legal exposure/lawsuits
- Loss of shareholder value
- Fraud and
This is why developing a cyber security culture within your staff is so important. Let’s look at how this can be achieved.
How to develop a cyber security culture in the workplace
There are four key features in a strong security culture. We break this down further below.
- It is deliberate, with a clear set of actions to encourage changes
- It is fun and engaging for staff
- It is rewarding to engage in security practices
- It provides strong return on investment
Educating staff (and getting them invested)
There can be a lack of understanding of how staff put the security of the company at risk. Once the real risks are illustrated, there will likely be a level of surprise shown. Staff cannot correct what they do not know. Developing an awareness of the vital role they play in protecting the business is the first step.
It is important to make sure staff understand the actual work that cyber security teams do. Once they understand the efforts that are already being undertaken, it can place their own efforts into context and make them feel a part of the effort, rather than security practices being seen as an inconvenience.
A full day training on the importance of cyber security might seem like a quick and efficient way of getting staff on board. It’s not. A conference room and a projector remove all context for staff, and makes it very difficult for them to take information back to their own work stations and apply it. A one time blitz will see a brief uptick in vigilance, but the attitude must be maintained long term. Here’s how to do it instead.
Train in small groups with modern methods
Often there is a disconnect between what a staff member knows what they ‘should be doing’ and what they actually do at their computers. To help close this gap, incorporate the most up to date training styles in small groups. Engage with ‘gamification’-style training – where staff play online-based games that reward them for secure behaviour and illustrate the consequences of lapses. These lessons are novel, memorable and applicable to their actual online behaviour.
Slow and steady
It might be tempting to go all in straight away, but this may overwhelm staff and confuse them, burden them, distract from their actual job. Select your key weaknesses and aim to strengthen them as a priority, then be strategic about filtering in cyber security training around other areas.
Use inductions as an opportunity
When you onboard new staff, make sure the cyber security policy isn’t just one more paper to initial or box to check. Go through it during induction processes, and have someone from the security team work with the new employee to set up their workstation and emphasise protocols.
Reward and Recognition
Seek out opportunities to celebrate success. Reward staff who identify and report suspicious activity. Provide bonuses for completing additional cyber security training and engagement will be high. Remember, the ROI on this investment will be evident for every day your company goes without suffering a catastrophic breach.
Culture change takes time. If attitudes have been lax, staff may initially resent firmer policies. Changes can be seen as creating roadblocks rather than providing the individual and the company essential backup. Again, this is why getting staff to ‘buy in’ to the idea of cyber security is critical to success.
Build in safety nets
As changes are rolled out, even the most well trained staff member can have a lapse of awareness or get distracted at a critical moment. If you are aware of this weak point in the net, you can take actions to shore up defences. Consider implementing:
- 2 factor authentication: require a password and a second one-time code that must be entered to access networks. This may be perceived as inconvenient, but it provides an opportunity to clarify the responsibility and consequences.
- Patches: software updates are notoriously ignored or delayed. If it’s possible to automate these updates or have them install after hours, do so. Systems that remain outdated have known security weaknesses that are easy to breach.
- Strong passwords: Again, it can be perceived negatively to require complicated passwords, but they are critical. Increased complexity creates a barrier, and frequent changes help to stay ahead of teams dedicated to breaching your security.
- Monitor access: make sure staff can only access what’s required for their role. It’s critical that exit plans are followed when a staff member leaves the company – deleting profiles, changing passwords and otherwise removing access (especially remote access) is urgent. If usage can be tracked, set up notifications for out of hours use or logins from ISPs that are not based in the area your staff member is.
- Install VPNs on company devices: to allow for additional protection when using wifi networks away from the office.
- Track temporary access: create special guest logins for contractors that are required to access your system.
- Ban external devices: do not allow personal devices to connect to the company networks. Do not allow private USBs to be used, and keep official USBs within the office network. They are a frequent gate for viruses.
Get staff on board with changes
If staff members cannot see the value in implementing stricter policies, they will fail to adhere to them, or resist them. This can cause more problems in the long run. It is far better to explain clearly how supporting security practices protects them as well as the company.
All it takes
Sometimes staff do not realise the far reaching consequences of their actions. Illustrate that ‘all it takes’ is falling for one phishing email, or using the insecure cafe wifi to log into the company network, to bring down the entire system. Engage them with case studies of times this has happened to similar businesses.
Your security team can send out phishing emails or run security breach drills discretely. Gather the feedback that will highlight where staff broke protocol or fell for false data. You could run this prior to any training to gather a base line, and use the data to inform your training program. Run a similar exercise after training to measure implementation and uptake. Remember to depersonalise any examples of breaches in training so individuals aren’t compromised in front of others.
There can be a distance between the IT security department and staff. Communication is often limited to problem solving or updating passwords – not exactly an open exchange. This closed relationship can hinder cyber security efforts. Staff should feel confident about reporting potential breaches, odd screens or data results and suspect emails. Create clear pathways to report suspicious activity. There should be no negative consequences if the report is proved unfounded.
Visible implementation strategies
One challenge that confounds data security efforts is that these efforts can all seem invisible as they happen in the cloud. Physical actions can be taken too – they let staff see things are happening, and allow them to be a part of it, too.
- Restrict access to computers and offices to staff only
- Enforce a strict sign in policy for contractors and visitors
- Utilise obvious visitor credentials and empower staff to report any stranger without one
- Don’t allow company documents to be removed from the office – screen bags if required
Build constant awareness
Include a cyber security update in internal newsletters, include tips or reminders, competitions, capture their attention. Publicly reward staff for good practices. Make it clear that every staff member from CEO down is involved and on board.
If there is a genuine breach
Despite the best efforts of staff, it is possible a true security breach may occur. If it does:
- Forensic investigations need to be completed if a breach is detected to understand what happened and how to prevent it from happening again.
- These detailed investigations can sometimes identify previously unnoticed breaches happening under the radar.
- Don’t be shy about communicating when/if this happens – it shows transparency, and demonstrates a willingness to take responsibility for data security.
- It can also be good for staff – once the dust settles it can be used as fodder for training/awareness campaigns.
Given the potential consequences, there is little doubt that embedding a strong cyber security culture is critical to the success of your business. If you choose not to get your staff on board, they will unwittingly become the gatekeepers to digital invasion, theft, destruction or blackmail. These are not easy issues to address. The investment you make in training will pay off every single day you do not suffer a breach. Developing a cyber security culture in your workplace may be the thing that saves it.