4 Steps To Building A Cyber Security Culture In Your Business
13 September 2017 00:00
As security awareness training continues to grow, so too does the number of successful breaches caused by human error. Cyber security is now a widespread focus, but security culture is still falling far behind. Here are our 4 main steps to building a security-minded workforce.
A glance at recent tech headlines will leave you inundated with the latest data breaches, including last weeks announcement of the mountains of data exposed by Equifax.
Nowadays, security is widespread and mainstream, but security culture is falling far behind. The focus is paid mainly to securing technology, with end-user training and awareness often seen as an afterthought. The simple fact is, this mindset is continuing to harm the online safety of many of us.
For the protection of clients, consumers and employees, a cyber security culture should be an important business function of any company, regardless of size.
So, to help you build a cyber security-minded workforce, we've put together 4 of our top tips...
Some of the most common cyber attacks and data breaches can be avoided through simple security measures. The problem is, a lot of organisations often forget to train employees on basic security hygiene.
CompTIA found that a massive 50% of employees have never received security training form their employees. Taking measures like the following is vital when creating a security-minded culture.
A) Strong Password Policy
Pet names, re-using old passwords, and post-it notes: no, nope and absolutely never. Employees need to understand why having a complex password is a hugely important, and how it can block potential cyber criminals.
B) Enable Two-Factor Authentication (2FA)
2FA has had its fair share of criticism from employees in the past. Often labelled as “inconvenient”, this added level of security might require an extra step when logging in, but the protection it boasts is surely worth it. Encouraging employees to use 2FA might just reduce some of those unneeded risks.
C) Monitor and Enforce
Employees only need access to certain software and systems, so restricting users to this is important for limiting risks. If any suspicious signs pop up (like unusual login time), then this should be logged and flagged. Rules for terminating or disabling access when an employee leaves or is on holiday must also be put into practice.
The old once a year tick-the-box approach is still (painfully) apparent in a lot of businesses these days. But these long, cramped, dried-out sessions seem to focus more on satisfying compliance, rather than actually raising staff awareness. Add this to the issue of making awareness training a penalty of bad practice, rather than an effort to educate in advance, then the thought of training sessions become even more unbearable for end users.
In short, the list of reasons why many security awareness programs just aren’t up to the job is endless (have a quick skim through our top 5).
There’s a huge need for security training to be consistent, jargon-free, and targeted towards all levels of the company -- even the C-suite. Short, informative educational sessions, accompanied by relevant and up-to-date topics, are essential for security culture to really be improved. Gathering metrics is essential when determining just how effective this training has been, and where you might need to improve.
Simulating phishing campaigns against your users is a great way of finding which departments are scoring the lowest, as what individuals are more susceptible to clicking links.
Putting the effort and resources into getting your security awareness program is a great start, but it only goes so far. Security training a lot more likely to fail if there isn’t a strong and consistent tone delivered from all aspects of the business.
After all, gone are the days of cyber security weighing heavily on the shoulders of IT in isolation-- cyber security is now a company-wide issue. Security representatives working with stakeholders from various departments can allow for a full culture of cyber security.
Execs must also share the same support and enthusiasm for reaching security goals as their IT leaders. In the long run, this can increase the security posture of a firm and has the nice byproduct of giving the security team a reputation for being credible.
Similar read: How to avoid giving your users cyber fatigue
As the technology around us advances, the threats in the cyber world always seem to adapt to their style and sophistication. Take a look at the new-look mobile workforce. We’re now able to use our devices pretty much anywhere we go. But working from home, or from coffee shops and hotels, brings about some serious security risks that aren’t given the attention they crave.
Keeping your users updated with the changing threat landscape is vital. New techniques tailored to phishing and social engineering continue to fool users into parting ways with sensitive information. This only adds to the need for regular training sessions, rather than the one-per-year approach we continue to see.
Overall, a cyber security culture doesn’t just depend on the work of one group, but instead on the contributions of all personnel. By delegating security personnel to focus on the security basics, employees to engage in interactive and consistent security awareness training, and senior leaders to provide a consistent advocacy, you can create a holistic cyber security culture in which everyone has a stake.