Creating a strong culture of security within organisations
Article by Fortinet director of security solutions Corne Mare.
The importance of a strong cybersecurity posture is not a new concept. Data from the Australian Cyber Security Centre (ACSC) recently revealed that Australian businesses reported more than 2,200 cybersecurity incidents between July 2019 and June 2020.
CISOs worldwide are inherently aware of how significant investment in cybersecurity strategies and technologies can bolster an organisation’s protection against cyberattacks. However, many overlook the importance of culture when it comes to cybersecurity.
Business operations are increasingly moving towards the digital sphere, and having relevant technological support and a healthy cybersecurity posture is critical to maintain and protect operations. However, neglecting the role that people play in maintaining cybersecurity can significantly impact the organisation’s security.
The human element can be an organisation’s weakest link and its strongest asset in terms of cybersecurity. Weaving good cybersecurity practices tightly into organisational culture can reduce potential risks and vulnerabilities that cybercriminals can use to attack the business.
Developing a strong cybersecurity culture is equally essential as deploying software solutions and technologies to protect systems from breaches. By prioritising regular training sessions for employees on cybersecurity approaches and tools, and distributing frequent updates on the changing cybersecurity threat landscape, organisations can essentially build a human firewall to complement a digital layer of protection.
There are four ways organisations can create a strong culture of security:
Facilitating regular training sessions on cybersecurity processes and policies, conducting frequent mock phishing tests to assess employee awareness, and regularly engaging employees in the wider cybersecurity conversation can strengthen the cybersecurity culture in a company.
When employees can recognise phishing attacks and understand the importance of strong passwords and multifactor authentication, for example, the organisation is just that bit harder for cybercriminals to breach successfully.
Engaging all employees in the conversation around cybersecurity encourages them to follow best practices and develop good cybersecurity habits. This relieves the IT security team of the burden of managing the entire defence of an organisation’s information and spreads it among all employees.
Reducing the reliance on the cybersecurity team and supporting technologies reduces the risk posed by having passive employees who don’t understand their role in keeping the organisation secure.
To empower employees to be a more active part of the conversation, it’s essential that organisations can foster a collaborative partnership between the security team and other departments. While the security team acts as the expert to identify and manage risks, other teams are critical in ensuring success by understanding expectations and following policies.
Increasing this understanding can turn humans from being the weak link in the security chain to being a strong link.
While it’s critical to understand that engaging the broader team in cybersecurity is key to building a strong cybersecurity culture, it’s equally important that organisations have the right people involved in facilitating these conversations.
Organisations often look for the most qualified individuals to join their team. While it is essential to have qualified professionals, especially in cybersecurity, it’s also crucial to have team members engaged in their work and eager to grow and learn with the changing cybersecurity landscape.
When workers are more engaged in their subjects, they can foster more robust collaboration and conversation with other workers. This can drive the broader conversation effectively to help build a stronger cybersecurity focus with the wider team.
In addition to fostering greater collaboration and conversation between the cybersecurity team and other departments, it’s essential that organisations implement structures and policies to build a more substantial barrier against threats.
Keeping a balance between physical security measures and the human element is essential. Security teams will always need to implement defence measures such as anti-malware software, incident response and recovery plans, secure access points and access management policies, and data encryption.
However, this needs to be balanced with substantial cybersecurity training for all employees, managing background checks for sensitive data access, and maintaining that conversation with the team.
Keeping all employees updated on potential threats and vulnerabilities, and regularly reinforcing best practice, builds a cybersecurity ecosystem that everyone is responsible for.
By keeping cybersecurity top of mind and continually engaging employees in the conversation, managers can ensure the organisation is vigilant for potential threats.