Why culture is essential to cybersecurity strategy
Digital transformation creates a challenging cyber threat landscape. This, explains Cyber Risk Aware's Stephen Burke, makes having the right culture essential
2019 was one of the worst years on record for cyber attacks and breaches*. Over the course of the year there was a massive 54% increase in data breaches* - many with dire consequences.
What you read in the press is the tip of the iceberg when it comes to the fates of global players such as Verizon, Capital One, British Airways and many others, with the implications of many attacks still yet to be seen.
Predictably, IT companies continue to innovate to provide the best in class infrastructure solutions.
Human & technology
Using technology to counter the problem, while necessary, is only one part of the whole solution.
Passing the responsibility to the IT function for a company's defenses is misguided at best; enterprises are now discovering the technology piece is just one piece of the armory.
The fact is that 90% of all breaches are caused by human error** - a massive statistic when you consider that even the most technically robust of networks can be undone by one simple absent-minded click on a phishing email.
Unfortunately the best technical solutions in the world cannot secure IT infrastructure alone. Just as it takes an army to be trained to use the weapons they are given, so it is that a company's people should be trained to defend its systems.
Cyber awareness training
The type of vulnerabilities being exploited by criminals are varied and difficult to address internally without expertise - a natural step is cyber security awareness training.
Many organisations that do implement such programs, often just train the technical staff and thus miss the real source of the problem – the employee at the frontline.
Every computer, every communications device, is an open door and, at the moment, untrained employees are not only opening the door, they are propping it open and inviting them in.
Organisations that understand these attacks and plan long-term, protective measures are the ones that build a real cyber awareness culture.
This should be tackled through a staged approach, as detailed below:
- Stage 1: Assigning responsibility and authority. The most important thing to consider is that cyber security shouldn’t be put in the hands of a single department. It should be seen as a company-wide initiative and given the recognition of importance that it deserves.
- Stage 2. Assess buy-in. Keep tabs on the progress and ensure that everyone in the organisation has a cyber security mindset.
- Stage 3. Attack your own defences. Start running real-time cyber attack simulations across the network. This will show the greatest areas of weakness and give IT teams solid signposts on technical vulnerabilities.
- Stage 4. Train. Implement training and ensure that it is done across the organisation, both horizontally and vertically. If you are a global organisation look for training that comes in native languages. The c-suite should be trained in the same way as the most junior person is trained. Cyber criminals don’t care who they target so everyone on the network is a potential target.
- Stage 5. Communicate, reward, motivate. Share success and tell employees about how the company is being kept safe. What they learn at work they can benefit from at home. Reward people who are cyber heroes. This will in turn motivate others and keeping cyber security on the agenda will make sure that as employees come and go, the culture will remain.
- Stage 6: Review and measure. It is good to have clear KPIs from the start. Make sure reports are kept on where the weakest points are in the organisation and ensure measures are put in place to eradicate those weaknesses.
These steps are the foundations for building a strong cyber security culture within an organisation. But, the key is to run them on loop.
Keeping your people up to date and trained makes them your most valuable custodians of your company’s network.
Technical solutions can be massively costly and can often swallow a lot of the budget when it comes to cyber security. However, implementing a program such as this can be cost effective and ultimately invaluable.
The human touch works both ways: it can bring a company down or it can be the best defense.
This article was written by Stephen Burke, CEO and founder of Cyber Risk Aware.
*Risk Based Security - Data Breach QuickView Report 2019 Q3 trends
**Human error to blame for 9 in 10 UK cyber data breaches in 2019