Why An Effective Security Culture Is Essential For Your Organisation

Uploaded on 2020-01-21 in JOBS-Training, FREE TO VIEW

With data breaches spiralling out of control, it’s time that organisations change their approach to fighting information security threats.

There’s a long-held, mistaken belief that this is an IT issue that can be fixed with more reliable software and a keener eye on technological flaws. In reality, employees are just as likely to cause a data breach as a bug in your system, and unfortunately there’s no simple patch for human error.

Rather, it takes an organisation-wide commitment to security, as you educate staff on the risks they introduce to your business and get them to break bad habits.

The problem with staff awareness training
When experts talk about educating employees, they generally refer to staff awareness training. In most organisations, this takes the form of online or in-person courses that take place once a year. More vigilant organisations might run two or three a year, but they’re nonetheless rarities – distractions from your everyday work – rather than part of an ongoing, structured approach to cyber security.

It’s not hard to see why employees might resent these courses. They interrupt their working week and knock them off schedule, and tend to comprise being lectured on how to do seemingly simple tasks, like sending emails or creating passwords.

This is why staff training alone can only do so much. Sure, employees will retain some of what they’ve been told, but true progress takes a willingness to learn.

That means building a culture of cyber security in which organisations take the time to show staff the real-world consequences of poor data protection practices.

It’s one thing to give them a PowerPoint presentation with stats like “23 million people in the UK use ‘123456’ as their password”, but it’s something else to explain why that’s a bad thing. The answer might sound obvious, but you’d be surprised at how often there are knowledge gaps between the errors that cause data breaches and the advice for preventing them. 

Let’s take a look at some examples.

Where employees are going wrong
Employees are generally aware that passwords should be a combination of at least eight letters, numerals and special characters (although there are arguably better ways of creating strong passwords), but that doesn’t really cut to the issue.
As a result, employees might create passwords such as ‘Password#1’. It meets all the criteria, but it’s not going to protect your account – being, as it is, a minor variation on one of the most popular login credentials.

The same thing applies to phishing emails. You can warn staff all you like to look out for suspicious messages and unsolicited, urgent requests, but the scams are successful not necessarily because victims are ignorant but because they’re careless.
Victims of phishing emails are, in many cases, aware of the threat of these scams but were caught out in the heat of the moment.

That’s exactly why phishing is so dangerous: the seemingly urgent nature of the messages can make us ignore any faint alarm bells that ring as we dimly recall a warning from a training session we once took.

The only way to tackle people’s impulse to click phishing emails is to engrain good habits into them. Employees should be capable of immediately recognising suspicious emails in the same way that they should intuitively know what makes a strong password.

Because contrary to a lot of evidence, staff awareness training doesn’t have to be complicated. The only thing that’s lacking is the time and commitment towards rooting out bad habits.

Creating a culture of cyber security
Developing a culture of cyber security is as simple as making staff awareness part of your day-to-day operations.
Training courses should remain the backbone of your efforts, and e-learning is an ideal way of delivering lessons. It’s affordable, staff can take the course at a time that suits them and it gives you a reliable audit trail. That means you can see who has taken the course and, just as importantly, who hasn’t.

You should complement training with visual reminders that enforce these lessons, like posters and email signatures containing security advice.

Perhaps the most important thing you can do is to practise ‘nudge theory’. This is a type of behavioural science that prompts individuals to make smart decisions by using indirect suggestion and positive reinforcement.
The approach is intended to help employees rationalise why certain processes are necessary, meaning they’re making smart choices by habit rather than from memory.

Subtle things like these might not seem as though they’ll make a huge difference, but remember: the devil is in the detail.
Just as you break bad habits in your personal life through small, routine gestures and reminders of your bad ways rather than one grand statement, so too does effective data protection require regular nudging. 

So don’t leave your organisation’s information security wellbeing to your IT department or staff awareness training providers. Make it a part of your day-to-day activities and encourage everyone to play their part.

About The Author: Luke Irwin
Luke Irwin is a writer for IT Governance. He provides news and opinions on a variety of information security topics, and was nominated for the 2019 European Cybersecurity Blogger Awards.

 

 

 

« New York’s Albany Airport Pays Ransom
5G Will Reduce Car Accidents »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Stealthbits Technologies

Stealthbits Technologies

Stealthbits Technologies is a cybersecurity software company focused on protecting an organization's sensitive data and the credentials attackers use to steal that data.

Calian Group

Calian Group

Calian is a diverse Canadian company offering professional services in areas including Advanced Technologies, Health, Learning and IT & Cyber Solutions.

Maticmind

Maticmind

Maticmind is an ICT System Integrator providing solutions and specialized skills in Networking, Security, Unified Communications & Collaboration, Datacenter & Cloud and Application.

Surevine

Surevine

Surevine builds secure, scalable collaboration solutions for the most security conscious organisations, enabling collaboration on their most sensitive information.

Quest Software

Quest Software

Simple IT management for a complex world. Whether it’s digital transformation, cloud expansion, security threats or something new, Quest helps you solve complex problems with simple solutions.

Exponential-e

Exponential-e

Exponential-e provide Cloud and Unified Communications services and world-class Managed IT Services including Cybersecurity.

Cyber Threat Defense (CT Defense)

Cyber Threat Defense (CT Defense)

CT Defense specialize in penetration testing and security assessments.

DisruptOps

DisruptOps

Built for today’s cloud-scale enterprises, DisruptOps’ Cloud Detection and Response platform automates assessment and remediation procedures of critical cloud security issues.

VectorUSA

VectorUSA

VectorUSA is a premier technology solution provider. We design, build and maintain cybersecurity, data center, wireless and managed solutions – transforming business needs into technology solutions.

Squad

Squad

Squad provides leading expertise to ensure protection against the most complex cyber threats. Combining the best practices of DevOps and Cybersecurity, we are committed to create a secured cyber space

Maritime Cyber Threats Research Group - University of Plymouth

Maritime Cyber Threats Research Group - University of Plymouth

The Maritime Cyber Threats research group of the University of Plymouth is focused on investigating marine cyber threats and researching solutions.

Anterix

Anterix

Anterix is focused on empowering the modernization of critical infrastructure and enterprise businesses by enabling private broadband connectivity.

Scholarly Networks Security Initiative (SNSI)

Scholarly Networks Security Initiative (SNSI)

SNSI brings together publishers and institutions to solve cyber-challenges threatening the integrity of the scientific record, scholarly systems and the safety of personal data.

Avrem Technologies

Avrem Technologies

Avrem Technologies is a business IT and cybersecurity consulting firm. We design, implement, manage and monitor the networks, servers, computers and software that our clients rely on each day.

Unisys

Unisys

Unisys is a global information technology company providing industry-focused solutions integrated with leading-edge security to clients in the government, financial services and commercial markets.

ThreatNix

ThreatNix

ThreatNix is a tight knit group of experienced security professionals who are committed to providing competent cybersecurity solutions that adhere to international standards.