Strategies For A Cyber Security Culture (£)
Creating a culture of Cyber sensitivity is now a corporate/business priority that should be well understood and engaged with at the Board level. It should become a presentation and training process through-out the organisation. It certainly should not be left to IT, although they of course should be very involved with the process.
One of the best ways to protect company information is to create a corporate culture that views information security as a shared responsibility among all employees.
Our recent research has shown that companies are not strategising and tactically implementing a continuous employees training program to deal with the implications of Cyber for the company. Those organisations that have programs in place and are operating them have significantly reduced Cyber Security issues.
However, this is not just a security issue, although that is of course very important and getting a lot of press/blogs, it is also an important opportunity/creative priority that needs real Board and Management attention.
Certainly one of the better ways of improving the security aspect of cyber-attacks is to build a business culture where cyber security is seen and engaged by staff and management as a joint and shared responsibility.
To make this part of the culture frequent Cyber training should take palace and the sharing of issues and opportunities should become part of the shared organisational culture. Regular meetings and training programs that discuss and offer help with email opening and finding malware of different sorts – make it something that is expected to happen and discuss new and different ways to avoid and share the issues.
Most business at present does not have regular security training and even where some cyber security education does take place it is often only once or twice every couple of years. Over thirty percent of small and medium size businesses have never had cyber security training for their staff or executives.
It is very important for senior management to first take some cyber security training and have them aware and implementing security on their own habits and work practices.
This is very important and a process that must be discussed across the organisation so that soon after when employees begin their training everyone is aware of the significance and importance that the business and senior management are giving to this issue.
IT standards and security initiatives are of course critical to security, however operations and strategy also is crucial. Here are Six points that business should also use:
First, any organisation must have a Cyber Security response plan that is in place and has the understanding and backing of the Board, Senior Management and has been discussed and presented to the employees and their feed-back has been included.
Second, the operation should use a White Hat Hacker Team to randomly hack your systems at different times and days – at least five/six times a year, without prior knowledge of employees and management as to when it will happen. The methods should be understood and the results explained to the Management and staff by the CEO.
Third, there should be HR’s engagement with the requirements for new staff and training of current staff into the IT systems and processes that are being used by the organisation.
Training is very important and a key issues in reducing Cyber-attacks. Often hackers are helped by employee, often both management and staff, opening a malware email. These issues should be discussed and openly accepted that anyone could make the mistake of opening an email that contains the potential for a hack.
Encourage people to discuss these issues and have training against hacking a continuous process as over half of what is taught in any one training session is forgotten by by most employees within a couple of hours of the session finishing – follow-up memos are very important and then more training in a few weeks is necessary.
Fourth, form business Cyber Security forums with other businesses and organisations and engage in discussions about recent hacks and security issues. Talk to different organisations about insurance and PR issues that hacking results in.
Fifth, create an internal Cyber Security response team that includes IT, HR and PR employees and ensure they have a continuous plan and process that is changing with the development of current hacking and issues of Cyber Security.
Six, create an analysis development team that can investigate and analyse the massive data that the Internet provides to get clearer views of your organisations position in the markets that it works within and related and connected markets. This process should be liked to sales and product development.
This is an on-going process and should not be left just to IT as Cyber is effecting all aspects of any business even if at present some management and employees say it has no effects on their areas.
