The Importance of Making Cybersecurity a Part of Your Company Culture
Most organizations are fully aware of the importance of effective cybersecurity strategies and the risks of what can happen without them. Companies have devoted both time and resources to training and educating their staff accordingly, but that isn’t enough. Without a valued culture of cyber awareness in an organization, the higher the risk of an attack.
Often in cybersecurity incidents, the weak link into the network is a person within that organization. That could be someone who clicked the link in a phishing email, used a compromised flash drive, or simply had an easily hackable password. By cultivating a workplace culture where cybersecurity best practices are embraced across the ranks, employees are more likely to take potential threats more seriously.
Investing in educational materials and training is important but creating company-wide change ultimately comes down to behavior modification. According to Keri Pearlson, executive director of Cybersecurity at MIT Sloan (CAMS), employees who believe they are responsible for keeping the organization and its data secure are more likely to do that. By changing employee attitudes and perceptions towards cybersecurity, organizations can truly begin to create a cybersecurity culture.
Making Cybersecurity a Value
Cybersecurity training is a baseline step that is necessary, but to build this culture of cyber awareness and appreciation, managers need to take additional steps. It’s more than simply providing the resources to educate employees—organizations need to integrate the importance of cybersecurity into the ethos of the company. All employees—from the CEO down—need to be reminded of their role in keeping the organization secure.
Cybersecurity should not be the sole responsibility of the security or information technology teams. While a strong strategy should start there, these best practices need to trickle down the leadership chain. After identifying behaviors they want to see throughout the organization, leaders should strive to make that happen by encouraging change at all levels.
Pearlson writes, “Values, attitudes and beliefs drive behaviors. People do what they believe is important and valued,” which is something to be kept in mind when developing strategies.
Cybersecurity at All Levels
In her research, Pearlson identifies three tiers in which a company can deploy strategies to transform cybersecurity into a company value: leadership, group, and individual. She argues that by effectively utilizing discussions and other action items in each tier, employees have a better chance of realizing—and valuing—their role in the company’s cybersecurity strategy.
Leadership: This group encompasses company management. We know the Chief Information Officers (CIOS) are displaying good cyber hygiene, but other non-cyber executives—including Boards of Directors—should also be embracing and displaying proper cybersecurity behaviors.
Group: Discussions about cybersecurity best practices and cyber awareness should be present in group meetings at every level. Proper cyber etiquette needs to be talked about often, both formally (presentations during Zoom meetings) and informally (breakroom chats over the coffeepot). It should be integrated into how teams function. Cybersecurity culture should be collaborative with teams working together to learn how to be more secure in their workplace.
Individual: Not only should individual employees know how to identify potential cyber threats, but they should also feel empowered to act on their knowledge, whether that’s reporting a phishing email or making a point to use a strong passphrase.
How to Create a Culture of Cybersecurity
Making cybersecurity part of a company’s ecosystem is not as tricky as you might think. A large part of the success depends on how well it’s marketed to employees. They’ve all completed the training and know to some degree that cybersecurity is important, but to many it’s really the why that matters.
Teach cybersecurity awareness based on your industry. Why is it important? Remind employees about your organization’s mission and integrate that into messaging around cyber best practices.
Focus on the data. Data protection is critical in cybersecurity. While different industries maintain different datasets, putting an emphasis on the importance of securing that information can be crucial to some employees fully embracing clean cyber hygiene. For example, protecting PII might resonate more with workers in insurance or healthcare versus those at an arts nonprofit.
Consider the company’s reputation. Customers are far less likely to want to do business with the company who has been involved in several data breaches.
Here are some tips to utilize when crafting a culture of cybersecurity in your organization:
- Go beyond simple training by appointing a culture change leader—a non-tech executive who is focused on making cybersecurity a company value via messaging, action items, and other activities.
- Target messaging to your organization—focus on the why. What’s relevant and resonating with your people? Review this regularly to see what is and isn’t working.
- Make cybersecurity awareness fun! This can apply to training and messaging (think memes and other pop culture references). Some organizations have had great success gamifying their cyber protocols. Something as simple as receiving a cookie for successfully identifying and reporting a phishing email can go a long way in making cyber awareness the norm.
- Include cybersecurity training in formal evaluations. Devoting part of a performance review to an employee’s success (or lack thereof) in identifying phishing emails can make cybersecurity training mean more than just checking a box on a to-do list.
Most importantly—start now. It is no secret that the speed, frequency, and severity of cyber attacks are increasing. Creating this type of change is not something that can happen overnight, but a cyber attack is. By starting now, your organization is one step closer to being secure on all fronts—from the CEO to the newest intern. Cybersecurity is a team effort, so remember to target your messaging to your team.