The cyber market has been evolving. Initially, the focus was on technical solutions. Then, the introduction of certifications like ISO 27001 and Cyber Essentials encouraged policies, standards and processes to improve cyber resilience. Now, in the last five years or so, ‘human cyber’ offerings have started to proliferate. At first, these existed to answer the regulatory requirement for ‘awareness training’. But this is beginning to change as the organisations that invested in cyber technology and put good policies and processes in place are still seeing vulnerabilities stem from the operators of their IT, their workforce.
As much of the workforce has worked remotely through the pandemic, there are now more people than ever connected to the internet. According to Interpol, this expansion of connectivity, combined with the sense of confinement, anxiety and fear generated by COVID-19, has cultivated the perfect environment for increased cyber security threats. Interpol’s Cybercrime Threat Response team has detected a significant increase in the number of attempted ransomware attacks against key organisations and infrastructure engaged in the virus response. In a future where many could continue to work remotely often, organisations need to consider a more comprehensive approach to ensuring their workforce adopts the right behaviours. Leaders need to go beyond raising awareness and start focussing on changing behaviour through a cyber security culture.
The concept of cyber security culture refers to the attitudes, knowledge, assumptions, norms and values of the workforce of an organisation with respect to cyber security. These are shaped by the goals, structure, policies, processes, and leadership of the organisation.
A good cyber security culture is one in which both the organisational determinants of culture (policy, process, leadership, social norms etc.) and the individual determinants of culture (attitudes, knowledge, assumptions etc.) align with the organisation’s approach to cyber security, manifesting in cyber security conscious behaviours.
Core to creating an effective cyber security culture is recognising that people make an organisation secure, not technology. People are both the best response to cyber-attacks and the weakest link in cyber security chains. So, it’s critical to foster an environment where employees have the knowledge and instinct to be the first line of defence.
A cyber-savvy mindset and cyber secure culture help deliver growth through digital trust, improve an organisation’s reputation with customers and build employee pride. They create an environment where good cyber hygiene becomes standard practice so the whole organisation can operate more securely with less effort, freeing up time and energy for the core business. Yet only 11 per cent of businesses provided cyber security training to non-cyber employees in the last year, according to the Department for Digital, Culture, Media & Sport’s 2020 Cyber Security Skills report. This is beginning to change, though, and the importance of security training and culture is increasingly recognised. We have seen this especially within clients situated in transport, oil and gas, and in other organisations that have a strong focus on safety culture. They have learnt the lessons from establishing a safety culture and are transferring those lessons learnt to their cyber security interventions.
Creating a cyber-savvy mindset and cyber secure culture goes beyond preventing attacks and breaches. It’s about giving your customers confidence and building their trust. It’s about being socially responsible as a business. And it’s about looking after your employees. Being cyber-savvy is a skill your people can take into their personal lives and use to help their families too.
It’s useful to look at what we can learn from organisations with dangerous work environments, such as power-stations, oil platforms and railways. They tried training their staff and found the behaviour improvement didn’t last long.
Sociologist Barry Turner first started to find the reason for these failings in the 1970s as he postulated culture was key. Several high-profile accidents in the 1980s, such as the sinking of the Herald of Free Enterprise, the Chernobyl explosion and the Challenger Space Shuttle accident, led to greater understanding and acceptance of his theory. This emphasised that organisational structures, culture, policies and management procedures all play a role in the occurrence of industrial accidents and incidents. During the last 30 years, high-hazard industries have worked hard to align their business culture with their safety goals and have seen real reductions in accidents.
Other organisations can now use these lessons to accelerate the adoption of a cyber security culture. This starts with building on existing strengths, connecting with hearts, nudging the right habits and leadership championing adoption. Leaders must simultaneously listen to employees and understand how changes impact the way in which they engage with cyber security, and make adjustments where appropriate.
Cyber security culture goals must be strategic, organisationally aligned and risk aligned. You need to understand what the current cyber security culture within your organisation looks like. You need to explore your lived culture, purpose and values, and the way that they impact people’s engagement with cyber risk. It's important to know the reality of where you’re starting from by understanding mindsets and behaviour, this helps you determine where the significant gaps are and develop a roadmap for change.
Underpinning the success of these initiatives is support from leadership. It’s important to emphasise the role leaders play in setting the example. Where they buy into and actively embody and advocate security consciousness, people follow. Conversely, when the tone at the top isn’t aligned, awareness campaigns will be undermined.
Finally, it’s critical that, as you implement changes to your cyber culture, you listen and adjust. You need to keep listening to your employees and understand how changes impact the way in which they engage with cyber security. Having an objective and honest understanding of how your efforts have landed will help you make the right adjustments to continue moving towards your goal. It also allows you the opportunity to celebrate successes and acknowledge positive shifts.