Three ways to build a cyber secure culture across your organisation
Cyber security has become one of the biggest talking points both inside and outside of technology circles. From the CEO to HR and Security Officers to Chief Marketing Officers, organisations are placing much needed emphasis on the security implications of increased digitisation. Accelerated by the COVID-19 pandemic and the huge shift towards remote working, it is more important than ever for organisations to understand cyber risk and create a positive cyber secure culture to protect both their data and their reputations.
Adopt a people-centred approach
Historically, many organisations have focused on investing in technology to improve their network infrastructure, enhance firewalls, and prevent risky behaviour. In addition, most organisations already have cyber security training in place to improve employee awareness of cyber risks. Despite this, human error is the main cause of 95 percent of breaches. This presents a huge opportunity to develop a people-centred approach to organisational security. People are both the problem and the solution when it comes to good cyber security. Instead of thinking of them as the ‘weakest link’ we should consider them one of our greatest assets in defending against cyber attacks. It’s up to leaders to unlock this potential and take a pre-emptive approach to embed the positive cyber secure culture that every organisation needs.
When adopting a people-centred approach to reducing cyber risk, we recommend focusing on three key areas:
1. Design the system
Do your policies, organisational structures, and governance clearly promote cyber security requirements? Are your processes easy to follow, or do they prevent colleagues from being effective in their primary role?
Systems, processes, and structures are some of the most fundamental drivers of behaviours across an organisation. Ensuring you purposefully design these to provide a consistent message will reinforce that security is something you care about getting right and help drive the desired behaviours.
To promote positive security behaviours, look at your teams as individual people – carefully identify what skills and tools they need to operate effectively, and understand why and how they might make mistakes. Review your policies and processes and re-visit your operating model to ensure roles and responsibilities are clear. Set out expected behaviours for each role and make it as easy as possible for teams to meet their security obligations.
2. Engage hearts and minds
Do you talk about cyber security as a core component of managing business risk? Is cyber security owned and championed at board level? Do leaders and managers role-model the right attitudes and behaviours when it comes to strong security practices?
Cyber attacks are a reality – not a threat. It is therefore critical that people understand and feel comfortable talking about cyber security and how it relates to them both inside and outside of work. Helping colleagues to realise that good cyber security knowledge and skills will keep themselves and their families safe at home as well as protecting the organisation can be very powerful. Make it clear why digital security is a concern for your organisation and explain the potential impact of cyber attacks by using real examples or near misses your organisation has experienced.
Leaders must be prepared to be humble when it comes to cyber security – don’t be afraid to admit that you yourself might have fallen foul of a scam or phishing email and ensure that best practice at all levels is recognised and celebrated.
3. Nudge the right habits
When it comes to good security, nudges can come in both ‘hard’ and ‘soft’ form. There are many ‘hard’ preventative measures that can be taken such as blocking certain documents from being sent outside the business, but ‘soft’ nudges can be very effective too. Think meeting reminders, or notifications from Outlook when a document referred to in an email has not been attached. The point is, there are nudges you can build into ways of working to empower, guide, and remind colleagues to do the right thing when it comes to cyber security. This might be a procedural checklist, a timely pop up, or system interventions that force certain behaviours such as classifying documents.
Making mistakes is part of human nature. While it’s impossible to extinguish every possible cyber threat, building security into your people’s mindset and everyday habits will drastically limit the likelihood of breaches and create a robust cyber secure culture.