‘Security’, ‘cyber’, ‘digital’ and ‘ransomware’. These terms should conjure up images of numbers flying around screens, pounding music, masked hackers and a time to do something drastic, and yet….and yet…. for some reason when most people hear about security culture, they tend to drift off. The problem is that for many people, security is either stopping radicals from bringing down the government or it’s watching an overpriced anti-virus system scan our document. We can’t really relate to one and the other is seen as a hassle. As a result, we don’t give security much thought in our daily lives.
But we should.
Witness the rise of bring your own device to work, the move to mobile everything, millions working at home and coffee shops, connecting to remote servers and sharing documents in the cloud. Our digital thumbprint has grown and we now have more to lose. Look at the Ukraine power plant that was brought down, Sony PlayStation losing its high scorers, eBay or TalkTalk. A poor security culture can now kill a company. Not only does it come with hefty fines from the Information Commissioner’s Office, but the loss of trust and brand reputation can be fatal.
There are many suggestions for building a security culture, but they tend to be esoteric: get buy-in from the top, build it into your values… While relevant, they don’t get to the heart of culture. Behavioural change isn’t defined by one-off activities and long-winded process documents, it’s about people regularly connecting with it. By making it interesting and a part of their lives, people will engage with it.
Here are five things you can do right now:
1. Bring in the big (people) guns – security often rightly falls to the information or ops lead. But to establish a new culture you need to also involve the ‘people’ people; those change managers, behaviour experts or natural influencers in your organisation who create cultures quickly. This is about pulling together a crack team of “ spiky leaders” – which we define as leaders who are excellent at one or two things rather than OK at all of them – of technical, security and people specialists. Just having security folks involved will segregate any initiatives immediately into ‘them’ not ‘us’. Get others involved and make the team as diverse as you can.
2. Engage emotional brains – promoting security via a few office posters won’t get you far. In fact, nothing will if it isn’t relevant to people. Run a culture survey to understand your people’s values and build a communications campaign that speaks to them emotionally. Case studies, discussions and storytelling events are good conversation starters, while impactful videos, hot housing and immersion enable people to live the implications. For example, you could send a fake phishing email to the company and then report back the findings – ‘Only 14% of people passed this onto IT security – why didn’t you?’
3. Build habits – people don’t change overnight and beating them over the head with a large security manual isn’t going to help. Change comes down to habits, with the culmination of small everyday individual actions (the Pentagon hacking was caused by employees failing to change their passwords from the default ‘password’) can greatly impact on organisations. Building new habits is about practising regular activities so that they become subconscious. To do this you need to build it into a routine and keep on top of it, it is not a one-off event. At PA we have developed ‘20 Days Later’ a proven way of using gamification techniques to help you create lasting change by building new habits for your employees.
4. Make everyone (want to be) an expert – it is easy to think that security belongs to techy folk in a darkened room somewhere and forget your own role in risk management. People are more likely to work towards a goal if they feel they have knowledge of the risks, so empower your people to own their security. Use champions to run workshops with teams to get them to think about impact scenarios, from the mundane to the extreme. What if a competitor stole your secrets or what if vital customer information was leaked? Make it an exciting experience that is done regularly and part of the company. You can also do hackathons to get your tech gurus to try and crack systems and another team to plan mitigations.
5. Prepare for the difficult – while fun stuff is important, how the organisation actually prepares for security breaches is paramount. Scenarios, escalation processes and responsibilities – from the CEO to grads – need to be clearly mapped out and publicised making it clear what a breach is, what to do and what the consequences are. Train your line managers to have courageous conversations. And keep on top of it – international organisations in particular should consider how they tailor their approaches to non-compliance in different organisational and national cultures, from the highly autonomous to the stringently authoritarian.
Many organisations believe they have a security culture in place. But it’s one thing to have a few posters and an online course and another having something that really connects and has everyone regularly thinking and acting on security issues. Your people are your first line of defence against an attack that could break your company. Have you thought about how you are going to keep them engaged?