Symantec’s 2016 Internet Security Threat Report shows that almost half of all cyber security attacks target small businesses with less than 250 employees. According to the U.S. National Cyber Security Alliance, 60 percent of small businesses cannot sustain their businesses beyond six months after a cyber-attack.
Even big companies can experience a long-term hit to their brand and revenue after an attack. Target’s massive breach in 2013 affected the personal information of 60 million and the credit-card details for 42 million customers. Four years after the Target attack, Rippleshot estimated total losses had reached $2.5 billion.
Criminals take the path of least resistance. The weakest link is the employee. Data breaches are mostly the result of employee error or an inside job, according to the ACC Foundation: State of Cybersecurity Report. The best way for organizations to protect themselves is to create and foster a culture of cyber security awareness.
An organization’s security culture always exists and is either weak or strong, according to Ira Winker, author of Advanced Persistent Security. He defines security culture as the result of consistent behaviors by individuals within an organization. To create consistent behaviors, the organization must create awareness of the desired behaviors by having a good security awareness program.
Here are 6 strategies to build an organization’s cyber security culture
1. Embrace organizational security top down
Executive management and business owners must go beyond funding a security awareness program. Instead, they need to be visible on screen and in-person promoting the same key messages to employees during training and at other company events. Executives must also communicate and set priorities with middle management and everyone on the board to encourage employees to integrate security practices every day.
2. Establish security policies, standards and procedures
Everyone in an organization including employees, contractors, management and the board should have acceptable behaviors that are defined and written down. There should be little confusion about what behavior is appropriate and consistent for the organization’s security culture.
For example, at the National Security Council, all employees wear badges. Anyone not wearing a badge will be reminded by coworkers or flagged by security to put it on immediately. Employees are not to talk about work related topics outside work. Work related documents do not leave the building and every bag is searched as employees leave the building. This set of consistent behaviors is documented and practiced by all employees that has become the NSA security culture.
3. Create ongoing security awareness programs that are fun and engaging
Many organizations have a once a year training period about security awareness. To keep employees motivated, training should be delivered throughout the year in small groups covering simple and easy to understand topics. Gamification reinforces learning and encourages desired behaviors in fun simple ways.
Examples of gamification include introducing contests, points, funny newsletters and other activities that motivate and encourage employee participation. The goal is make security awareness an ongoing reminder that rewards people for taking certain actions in the same way people use frequently flier miles or grocery rewards points at retailers. Many organizations have a once a year training period about security awareness. To keep employees motivated, training should be delivered throughout the year in small groups covering simple and easy to understand topics. Gamification reinforces learning and encourages desired behaviors in fun simple ways. Examples of gamification include introducing contests, points, funny newsletters and other activities that motivate and encourage employee participation. The goal is make security awareness an ongoing reminder that rewards people for taking certain actions in the same way people use frequently flier miles or grocery rewards points at retailers.
4. Focus on security basics
Organizations often forget to train employees on basic security hygiene. According to a study by CompTIA, “nearly 50 percent of surveyed employees never received training from their employers.”
The most common cyber attacks and data breaches can be prevented by simple security measures like the following.
a) Strong password policy: Employees need to be told why having a complex password makes it much harder for a cyber criminal to break in.
b) Patches: Organizations need to set up a patch program where all software and systems are updated regularly including emergency fixes.
c) Enable 2FA (two-factor authentication): This added layer of security requires the person to type their regular password followed by a one-time code when logging into an account or service. Many employees do not know how to set 2FA up or find it inconvenient. Additional training will show employees the negative consequences of not using 2FA.
d) Monitor and enforce access: Limiting access to certain software and systems limits risk. Rules must be put into place to restrict employee access to only what they need and use. At the same time, access must be either terminated or disabled when an employee or contractor leaves or goes on vacation, based on the company policy. Log and flag a user’s behavior for unusual login times in the day or evening. Having a series of checks and balances lays the groundwork for a good security culture.
5. View security as an enabler
Employees often associate IT Security departments and personnel with doing something wrong or as the “department of no”. This negative image of security does not encourage employees to ask questions around security awareness or report unusual emails or activity. Employees need to be allowed to challenge a colleague when they see examples of poor security in the organization. They must also have the trust of management and security in that they will not be punished for doing something wrong. Instead, they should be allowed to get clarification, asking for further training and be allowed to learn from mistakes rather than be reprimanded.
6. Assist telecommuting employees to work safely
The changing workplace allows employees to work from coffee shops, automobiles, hotels and home offices. Employees need an open and trusting line of communication with security staff and management to minimize taking short cuts with customer data or work files. For example, virtual private networks are relatively simple and easy to use. Employees must be educated that a remote workforce requires additional steps that reduce the potential for a cyber attack and data loss.
Creating a cyber security culture is the responsibility of every employee, manager, and contractor to prevent against a cyber breach or cyber attack. Engaged employees who receive ongoing awareness training and communication fosters a strong cyber security culture.