The Covid-19 pandemic means remote working has become prevalent and will probably continue long after the crisis has eased. The increased cybersecurity threat inherent in remote working represents an opportunity to transform your workforce into a very powerful resource. In the fight to maintain robust cybersecurity, personnel can be galvanised into a team with a heightened awareness of potential threats and a means to note and report them.
It’s not as simple as throwing a switch but neither is it rocket science. Developing a security culture starts with policies that form the platform for a series of processes and procedures that are repeated at frequent intervals. It’s this revisiting and repetition that form the cornerstone of an advanced and invaluable security culture.
Here are some suggestions for you to consider when formulating your approach:
#1 – Security starts with you
Security extends way beyond the firewall level. It starts with the human element which any security expert will tell you is the weakest link in the chain. It’s a startling fact that about 70% of security incidents are caused by employee negligence. Weak passwords, a disregard for mobile device and laptop usage policies and lapses in vigilance regarding email content have long been a successful attack vector for hostiles.
Importantly, a true security culture starts at the top. Senior management must be seen to buy into the concept, own it and adapt their work/life practices to put it into daily action. Without this example, a workforce will not take it seriously.
#2 – Communicate “with”, not “at”
Employees generally have no problem with proactively accepting a security culture. Don’t just throw communication “at” employees – communicate “with” them. Ask as well as tell. Making communication around cybersecurity personal to the user has long been recognised as markedly more effective and impactful.
Be sure to check their understanding when advising them of steps they can take to protect the company and themselves against attack.
#3 – Owning this transformation
Ultimately everyone, from all members of the board and management teams through to frontline employees, should be engaged and contribute to protecting the organisation from attack. Developing a strong cybersecurity culture involves ongoing education, communication, assessment and evaluation. The aim is to continuously raise all employees’ awareness, improve skills, close gaps and ensure accountabilities.
Cybersecurity responsibility should be shifted away from being largely in the IT domain to also include management and people in the organisation who focus on areas of risk, training and development, human resources and legal. The people that lead human resource management are key to driving this transformation.
#4 – View cybersecurity as a business enabler, not an overhead
The cultural, process, procedure and engagement requirements for good cybersecurity practice are also good for the business as a whole. Broadening the forum for debating security issues to include the entire workforce instils a sense of ownership too. It’s part of changing the organisation’s holistic view of general good practice to put some onus on employees to do their bit in protecting the safety and wellbeing of their employment.
#5 – Involve all employees in reviewing security
Involve employees in reviewing the processes and procedures they follow so as to increase their engagement and vigilance, and improve security in day-to-day operations. This review will help increase the understanding of what vulnerabilities exist in the current environment.
A receptionist, customer services agent, or office assistant may observe a security weakness that security experts may be blind to. Engaging employees to discuss threats and options to minimise them very likely will see them provide some useful insights and ideas.
Involve all parts of the organisation in developing and regularly reviewing cybersecurity policies. Policies define the expectations you have of everyone that uses your organisation’s IT systems and data – “everyone” is defined as users, the Board, managers and IT people. For example: What is an acceptable use of systems? What are the expectations for employees who need to connect to internal systems remotely? How should technical staff administer technical controls such as a firewall?
#6 – Make it an interactive exercise
Through our consulting work we have been able to discuss training activities with organisations over many years and observe which approaches are most effective. Here are some key points:
A combination of cybersecurity training options is required because (a) people have differing learning mechanisms and (b) senior management roles need different emphasis than team members. It means a one size fits all approach is not generally as effective as a custom plan.
People engage differently with online resources such as video, written content and testing.
Classroom delivered material has a part to play but it has always been challenging from a logistical perspective, plus it can be costly to build and tailor material. It has to be delivered in short bursts to match attention spans and be run or delivered as a one-off exercise for users so is not persistent.
Simulation based training, such as a phishing training campaign, has been shown to be effective in measuring risky behaviours and improving awareness around the potential dangers of dubious email content, attachments and links. Simulation based training is impactful and the lessons learned are better absorbed and remembered.
Make training interactive and actively encourage feedback, especially of successful observations of threats by staff. Where possible have small group meetings to augment training, and promote a sense of ownership. Engaging people in the process is more effective than merely making resources available.
Formulating a suitable approach to building a powerful security culture is not difficult if a well thought out set of foundational policies is developed and put in place. From this position and with the support of senior management you can harness the power of your workforce by providing them with ongoing cybersecurity training and awareness information. Ongoing reinforcement of this information will help them understand the need to be vigilant when working organisational systems and data.
Vatch our webinar: Laying the Foundations for a Secure Computing Environment
Contact us for a further discussion on how to create a powerful security culture in your organisation.