Cybersecurity culture in a workplace is positively promoting and embedding safe cybersecurity practices. It’s proactively educating employees on potential cybersecurity threats and on the right behaviour to mitigate such threats going forward. There are lots of good reasons for having a cybersecurity culture within your organisation, here’s two:
- The risks and threats are now so varied and widespread that the chances of suffering a security incident are very high. Both the National Cyber Security Centre and the Central Bank of Ireland have warned about this. So having a cybersecurity culture contributes to reducing the risk and keeping an organisation safer.
- Another benefit of having a strong cybersecurity culture is GDPR compliance. One of the principles behind the regulation is privacy by design. The idea here is that everything an organisation does is geared towards protecting personal information.
One of the most effective ways to achieve a cybersecurity culture is to aim for operations that treat security as baked-in, rather than bolted-on. That way, security thinking becomes embedded in how you design those operations, rather than an afterthought. Think of it like building a house: If you want to put a porch on the front or skylight windows, it’s more efficient and cheaper to design it at the start rather than tearing a hole in the roof later on.
(A quick aside: I know cybersecurity doesn’t equal privacy, and privacy doesn’t equal cybersecurity, but one feeds the other agenda. Together, they can help to foster a mindset throughout an organisation that makes people think carefully about the data they use and the steps they take to protect it.)
In this blog, I’ll take a closer look at three ways to start establishing a cybersecurity culture and how it can work in practice.
1. Lead by example to strengthen your cybersecurity culture
Cybersecurity programmes and projects are all well and good, but the problem with using words like that is that they imply an end date. That’s why I prefer a cybersecurity culture: it’s always there, ongoing and evolving – it should never stop. It involves good security awareness and behaviour. Everyone should know what the organisation expects of them and they should get continual reminders about it. The goal is to reach a point where good cybersecurity behaviour becomes a habit.
The key word in that last paragraph, by the way, is ‘everyone’. Any workplace culture only works if all staff members from the boardroom to the basement follow the same set of rules, consistently. The higher you go up, the more you find people in a position to influence others. Signals and cues are very telling indicators of a culture. For example, if managers or senior people come to work in suits, everyone else understands they may be expected to dress smartly. If they sign in and swipe their pass at the door like everyone else, it shows that this is an important rule to follow. On the other hand, if they expect the security guard to just wave them through, that’s sending the wrong message.
2. Spread knowledge about good cybersecurity behaviour
I find it helps to think of cybersecurity culture as a continuous circle, made up of three elements: knowledge, attitude and behaviour. Each element feeds into the other, but in my experience, knowledge is the best place to start. The levels of knowledge around cybersecurity can vary widely. Some companies might be technically literate but that doesn’t mean they know about cybersecurity. (I might be great at driving a car; that doesn’t mean I know how the engine works). So you still have to educate your audience in the right cybersecurity behaviour. Just because someone is a technical genius, you shouldn’t assume they understand what you might think of as ‘common sense’.
Here’s where a cybersecurity policy comes in. Over the years, I’ve seen so many badly written policies. Some businesses tend to overdo them with pages and pages of rules, when really the document should be simple and clearly set expectations for all staff. It should say: do these good things, don’t do those bad things, and here is what’s meant by good and bad. A policy should also explain the consequences for anyone who doesn’t follow the rules – up to and including dismissal for serious misdemeanours.
3. Reinforce positive cybersecurity messages
When formulating a policy that you want everyone to follow, words matter. Psychological studies show that it’s more effective to reinforce positive messages instead of drawing attention to negative behaviour. Psychologists will also tell you that if someone on your team is about to take a penalty, you should give them positive encouragement. However if you say “don’t miss….”, they might only hear the last word. Obviously, there are times when you have to say: “you’re not allowed…”. But the balance should be in favour of vocabulary like “we want you to use secure file transfer” or “we want you to use encryption so you can access information safely”.
Stay tuned for part 2 of my blog. I’ll be looking at the follow-up actions you can take to embed a positive cybersecurity mindset throughout your organisation.
The author of this post David Prendergast, is a senior consultant at BH Consulting.