SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Building a cybersecurity culture in your organisation
Thu, 15th Sep 2022
FYI, this story is more than a year old

When people think about cybersecurity, they often think of technical security measures to help protect their businesses. While these measures, including endpoint security software and firewalls, are important, they are not sufficient by themselves to build a cyber-resilient organisation. The behaviour of employees is also critical for an organisation’s cyber defence since 82% of data breaches in 2021 involved a “human element.”

Cyber threats are part and parcel of the digital age, and cyber attacks will only continue to become more sophisticated. The best way for organisations to protect themselves is to foster a culture of cybersecurity awareness and establish clear strategies to ensure that employees can spot attacks.

With the right approach and IT infrastructure, employees can become one of the most effective security controls. The key to creating an effective cybersecurity culture is recognising that people can represent a formidable first line of defence in safeguarding against cyber attacks.

1. Establishing culture starts from the top

While cultivating a cybersecurity culture is challenging, one of the most important points to note is that it has to start from the top. To encourage a security-first mindset among employees, C-suite executives need to lead by example and set the tone for awareness throughout the organisation. Executives cannot expect their employees to heed cybersecurity concerns if it is not a key priority for the management team.

Executives also need to actively promote key messages to employees, either virtually or in person, at company events. For instance, you can start every all-staff meeting with a cybersecurity story to highlight to everyone in your organisation that it is an intrinsic part of corporate values.

To ensure that employees across the company understand the importance of safe online behaviour, cybersecurity information also needs to be delivered in a clear manner. If you want to foster change, it is essential to communicate in terms that employees understand. This can mean demystifying complex terms such that objectives are clearly understood. Messaging is critical to building engagement and fostering a cybersecurity culture.

2. Create security awareness programmes tailored for different groups

As cyber threats become more complex by the day, organisations must ensure that teams are constantly educated on cybersecurity to remain protected. To keep employees up-to-date with the latest threats, Chief Information Security Officers (CISOs) can collaborate with the Human Resources (HR) team, which normally leads corporate training programmes, to organise security awareness programmes.

In the course of planning for these programmes, businesses should also bear in mind that employee engagement is key to participation. This means that simply creating slideshows will not be enough. Instead, employees need to be directly involved in their learning. One way to encourage participation among employees is to include incentives, setting goals for the team and rewarding them when objectives are met.

On the other hand, while security awareness programmes usually focus heavily on employees, the rise in business email compromise and social engineering attacks reinforces the fact that executives also need regular training. The C-Suite and board members are specific groups that require tailored training to meet their unique needs. These programmes should include the types of attacks that target executives and can train them to defend against vulnerabilities in these areas.

3. Communication alone is not enough

Even if you have a proper cybersecurity awareness programme in place, consider simulating social engineering attacks that mimic real-life phishing attacks, as such drills can help employees remain vigilant.

Organisations should also encourage employees to be more proactive when they come across anything that could potentially increase the risk of a data breach. For instance, employees should remind one another not to leave their company devices unattended, particularly if they are still logged on, to prevent unauthorised access.

Protect your business with your people

All in all, cybersecurity awareness should be a crucial part of every business to protect against cyber risks. Organisations need to remember that culture can also be utilised as a cybersecurity tactic and tool; it needs to be continually assessed, strengthened, and adapted. Ultimately, the goal of any organisation should be to nurture a culture of cybersecurity to ensure organisational resilience and minimise loss when faced with a cyber attack.