Inherent to any conversation about cyber awareness training is the reality that organizations need to change their cultures, which can’t happen without strong leadership. As we’ve seen with mobile security strategies, though, business efficiency and productivity too often trump security.
The very idea that companies need to change their corporate cultures to truly make security awareness part of their profit and loss statements might be too Pollyanna for some. The goal might be lofty, but it doesn’t have to be, and the change doesn’t need to happen overnight. After all, it’s better to take smaller steps toward slow change than to do nothing and fall victim to cyberthreats.
Promoting Cyber Awareness From the Top Down
When security awareness and training mandates don’t come from the top, there is very little potential for change. Creating a cyber-aware culture also demands a shift in the way organizations treat security. The role of the chief information security officer (CISO) is evolving, and while some are making headway toward becoming influencers at the top level, many CISOs don’t feel respected within their organization. Cybersecurity is still largely seen as part of IT rather than a profession in itself.
All the while, phishing remains a popular method of gaining initial access among cybercriminals, and 49 percent of companies that have already suffered a significant attack are targeted again within a year. Enterprises can no longer kick the can down the road and accept “good enough” as a viable solution to mitigating the risks of human error.
Many organizations understand the risks associated with the human factor but lack the time, staff or other resources to fully understand what a cyber-aware workforce means to the organization. But when it comes to creating a culture of security awareness, there are no stupid questions.
Here’s one to ponder: Why do 65 percent of CISOs spend sleepless nights worrying about phishing scams, and why do 61 percent fear disruption to processes caused by malware? It’s likely because they know that human beings represent the weakest link in their security chains.
Another question to consider: Would CISOs worry less if they felt confident that their organizations were cyber aware? Building a culture of security is not a Pollyanna dream — especially if it is supported from the top down.
Let’s face it: Any human being within any organization could fall victim to a scam. If you think you are exempt from that because you are the CEO, I’d advise you to leave your ego at the door. Phishing scams don’t discriminate, and the security of your organization is not about you or how clever you are — it’s about risk.
That’s why building a cyber-aware culture begins with risk management. According to Reg Harnish, CEO of GrayCastle Security, “A successful cybersecurity culture cannot exist without first identifying your organization’s risk tolerance.” Once you understand which systems need protection, you can make informed decisions about how to secure enterprise data and set expectations about employee behavior.
Do’s and Don’ts for Changing Corporate Culture
Changing a corporate culture is not the same as security awareness training. Awareness training is a critical part of creating a cyber-aware culture, but it is only one piece of the fiber that defines an organization. Culture is more broadly defined by its social norms. Security leaders should keep the following do’s and don’ts in mind when endeavoring to change employee behavior.
Do Expect Mistakes
Because employees are a critical line of defense when it comes to protecting against cyberattacks, it’s important to value them as much as you do any other security tool. Recognizing that no defense is foolproof, security leaders should also prepare for the inevitability of human error, regardless of how well employees are trained.
Don’t Punish Errors
When users are blamed for, reprimanded or even fired for their mistakes, they are far less likely to report incidents when they occur. Why on earth would you approach the security team to confess that you accidentally clicked a malicious link when you could be fired? You wouldn’t.
Do Build Morale
A more effective approach is to make employees feel like partners so that they know where threats are coming from and can work collaboratively to help each other avoid security incidents.
Do Not Rely on Annual Training
The standards of teaching and learning that apply in the classroom don’t change when adults become part of the workforce. If the goal is to educate, the training needs to be multifaceted, ongoing and consistent. Use alternative assessments to determine the effectiveness of the training programs you are using. If you don’t see progress, try something new.
Do Set Achievable, Companywide Security Goals
The key is to start small. A measurable goal might be to reduce the number of employees who click on a malicious link during a simulated phishing attack. When setting goals, ensure that they can be tied back to the employees. Connect the security of the organization to their own personal privacy. To convince employees to change their behaviors, security leaders must first help them understand how their actions impact the security of the organization.
A Culture of Cyber Awareness Is Attainable
When security leaders set reasonable, incremental goals and demonstrate a willingness to try new training methods when traditional approaches fail to yield results, creating a culture of cyber awareness doesn’t have to be a pipe dream. In fact, it’s an absolute necessity given the volatility and increasing sophistication of the threat landscape. Cybercriminals are masters of manipulating human nature to convince employees to do their nefarious bidding. It’s time for security leaders to better understand the human element of cybersecurity and use these insights to protect their employees and enterprise data.