In part one of this blog, I looked at why positive cybersecurity culture can be more effective and lasting than programmes or time-limited initiatives. At a practical level, I looked at the first three steps to putting that culture in place. It starts with the importance of leading by example and the often unspoken signals that influence everyone else’s behaviour. Then, I covered the bedrock of any culture: spreading knowledge to everyone – in this case, knowledge of security risks – and the good behaviour that mitigates them.

Now comes attitude. If something goes wrong – and at some point it probably will – does the organisation look for someone to blame, or is it ok to make mistakes? The organisation’s approach to this will tell you more about its cybersecurity culture. Let’s remember that many data breaches happen due to good intent. You have people trying to do what they think is the right thing, like taking work home with them to finish an important project. But in doing so, they end up bypassing rules or breaching policy.

1.Invest in a cybersecurity culture

In an organisation with a good cybersecurity culture, a manager will see this behaviour not as flouting the rules but as a willingness to work hard. It’s also an opportunity for a “teachable moment”; instead of taking paper files, why not suggest bringing a laptop that has encryption automatically enabled? (By the way, the best security solutions are the ones that work without you thinking. Encryption on the laptop is there whether the user knows it or not, and it doesn’t slow the laptop down.)

If the organisation’s attitude is one of readiness to invest in tools that help security while enabling people to do their jobs, it shows the business has a positive attitude: it cares about its employees doing good work, and also about the data it protects.

2.Lead the way by behaving yourself

As previously discussed in part of 1 of this blog, the third part of the cycle is behaviour. If attitude is about the right mindset, behaviour is about following through with actions. In a positive cybersecurity culture, people at all levels should feel they can report problems. This could range from suspicious activity on the network, to a problem with the security policy if it prevents people from doing their work effectively. If the business doesn’t act upon these reports, or worse, singles people out for speaking up, then it fundamentally weakens efforts to create a positive cybersecurity culture. Don’t shoot the messenger!

Organisations with a positive cybersecurity culture make training regularly available. Don’t assume that people already know things (and it’s always someone’s first day) – training doesn’t have to be expensive and can be given in-house. This also calls for a mindset change for the people in charge of security. The security department often have the reputation of being the ’Department of No’. If people have a question like “why do we use Microsoft OneDrive and not Google Drive?”, for example, then the security person or team need to be open, accessible and available to listen. Positive culture is about guiding people in the right direction rather than just saying “you can’t do that”.

Positive cybersecurity culture

3.Reward the good and punish the bad

Part of the work in promoting good cybersecurity is about having consequences for behaviour you don’t want to happen. There has to be some kind of penalty structure for people who refuse to accept the rules and will try to bend them even when they know what’s expected.

If there’s an accidental data loss, the line manager needs to speak with the offender, who may then benefit from taking extra security awareness training. Keep in mind this could be an organisational issue. If people haven’t been told about the risk of taking work home or haven’t been given an encrypted laptop, then the organisation is at fault. Good security culture doesn’t look to blame people instead of addressing a company problem.

But if the action is deliberate then the punishment needs to be stricter. If there are no sanctions for serious or repeated negative behaviour, what message does that send? Everyone else in the business will quickly come to understand there’s no incentive for doing the right thing either.

4.Use training to embed cybersecurity culture

This comes full circle back to knowledge. Continuous awareness helps to keep cybersecurity at the forefront of people’s minds. Additionally, it will embed the good behaviour the organisation wants to see. Another principle to help drive cybersecurity culture is defence in depth. One security control alone – such as encryption on laptops – is good but won’t fix the problem by itself. Multiple layers of controls are ideal, and they don’t all need to involve expensive technology. Training people how to come up with a good password, not to write it down, and not to carry it around in their laptop bag, costs little or nothing but is still a very effective control.

Regularly sharing useful security information with people reminds them to do the right thing and helps them to do it. There are a lot of resources available online for free, such as SANS Ouch, a monthly newsletter, that’s easy to understand. You may need to remove the technology references for some audiences and increase it for others but it’s a fantastic starting point. If you’re dealing with developers, OWASP has lots of good processes and practices. ENISA also has a lot of good awareness information that’s freely available too.

5.Treat cybersecurity as an enabler

A positive culture treats security as an enabler, not an obstacle. Our CEO Brian Honan often uses the analogy that likens security to brakes on a car. Some people think brakes are there to slow you down and stop you but think for a moment: how fast would you drive if you had no brakes? I did some research and discovered the car with the best brakes in the world is the Porsche 911. When most people think of a Porsche they picture a cool-looking car that can go very fast; but the fact that it can stop in a heartbeat means you can drive it very fast (subject to speed restrictions of course) .

It’s proof of what’s possible when you bake security into your design: it lets you do so much more. In the work context, it means the organisation can be more comfortable with allowing its people to work remotely, or use mobile devices. With the appropriate controls, you can take risks within reason. That’s when you know you have a positive cybersecurity culture.