Security Culture

Make yourself a hard target

How do employees, managers, and leaders in an organization think about cybersecurity? Their answers, when aggregated, define the security culture. Security culture is the cumulative impact of awareness, policies, training, and ultimately the behaviors of everyone in their day-to-day interactions with the organization’s systems and data. It requires constant vigilance and repetition to maintain.

How to Improve Security Culture

1. Executive Leadership is Essential

Security culture is a prime example of where people will follow the behavior cues of their managers. If management is not serious in their approach to cybersecurity, then employees will not be either. Making sure executives and managers are trained in and observant of the necessary cybersecurity protocols will help this attitude cascade throughout your organization.

2. Make Visible Investments

When employees see an organization making investments in the right technologies, it demonstrates the organization is serious. Visible and effective security technology deployments reinforce the standards of behavior and continually remind employees that cybersecurity is a priority, improving your security culture.

3. Avoid Punishing Mistakes

If the organization punishes cybersecurity mistakes, then employees will hide their mistakes. Considering how long it takes for most organizations to identify a breach, it is essential to get an early warning from an employee if they feel like something bad has happened. The recommended solution is to reverse the incentive: reward people for stepping forward! This proactive approach to identifying suspicious activity will encourage vigilance and accelerate your organization’s ability to respond.

4. Educate, Test, and Discuss

A user awareness program is a great way to keep cybersecurity top-of-mind for your employees. A good program would include high-quality education materials, an active testing module that sends suspicious e-mails that try to fool readers into a mistake, supported with regular cybersecurity talks that support the training concepts.

5. Response and Recovery

Cybersecurity events are inevitable for every organization, no matter how much they focus on prevention. Therefore, a strong security culture has invested time, energy, and dollars in preparing to respond and recover. Such preparation means having a documented incidence response plan (IRP) and a designated team to manage the plan when an event happens. The absence of a plan amplifies the consequences of an attack, and communicates to employees that you don’t really expect something to happen.