The number and severity of cyber-related threats on organizations is increasing and is expected to continue to grow over the coming years. Because of this, cybersecurity must be a critical component of each organization’s business plan to ensure that data is protected and avoid the financial and reputational consequences that are associated with an incident.

Although the security of technology is a critical component to any security plan, one of the most overlooked vulnerabilities is not technical in nature, but human. Because of this, cyber criminals focus on attacking individuals through phishing and social engineering, placing employees on the frontlines in the fight against cyber threats. As these threats continue to grow more sophisticated, it is now critical that every organization develop a culture of cybersecurity awareness so that employees understand their role in protecting the organization and are equipped with the tools and understanding to act accordingly. Fostering a culture of cybersecurity can bolster the security of any organization more than any single procedure or policy. In this article, we look at how organizations can establish the basic elements of a strong cybersecurity culture.

Setting the Tone for Your Cybersecurity Culture

In order to lay the foundation of a strong cybersecurity culture, organizations must embrace the idea that security is not just an IT issue. In any organization, senior leadership is the biggest driver of a cultural shift and should ultimately be accountable for the security of the organization’s data and assets. It is essential to make sure that senior leaders in your organization are actively governing and promoting cybersecurity as a priority. To do this, organizations should consider whether their security governance structure is formally established through an information security or other similar policy. This should outline the key roles and responsibilities of individuals who are accountable for cybersecurity governance. The various roles and levels associated with each function may vary based on the size and complexity of your organization, however, below are examples of individuals whose role in security governance should be defined.

• The Board of Directors

• The CEO or other Executive-Level

• Chief Information Security Officer

• Security / Risk Manager

Once this structure is established and approved by leadership, those accountable must ensure that security governance remains an active process and not a formality. This includes implementing the regular risk management and security planning processes, and tools that ensure the appropriate governance is in place and is calibrated to the organization’s objectives and risk tolerance.

Develop and Communicate Policy

Just as most organizations have a dress code for the office, having a suite of well-defined cybersecurity policies will provide structure to your organization’s stance on cybersecurity and communicate best practices. The strategy for developing a policy or set of policies will vary based on the size, complexity, and maturity of your environment. It is important that policies be written to reflect the controls in practice as of the effective date of the policies. Establishing policies is not a means for directly improving security practices, but a way of translating those practices into established requirements.

Policy areas that should be considered include acceptable use, remote access, email communications, bring your own device (BYOD), access management, asset management, and others depending on your needs. Well written policies should also consider the audience and contain a level of detail that clearly communicates requirements but, is not so detailed that it must be re-written when minor changes occur. Policy ownership is also an important component so that employees know where to turn for additional guidance or questions.

It is not only important just to have security policies, but you must also ensure that they are communicated to all necessary workforce members, including contractors and other third parties that have a role in protecting your information assets. This may require collaboration with Human Resources to make sure that new hires read the relevant policies on the first day and have them readily available for future reference via an employee intranet or other method.

Develop and Implement a Training Program

Cybersecurity training is one of the most effective tools for reinforcing policy and building a model for good cybersecurity practices. There is not a one size fits all solution to training as each organization has a unique culture, values, and priorities. Training may include online learning platforms, social engineering campaigns, in-person classes, webinars, and frequent communication from leadership.

Regardless of what techniques you use, successful training programs contain the following elements:

• A measure of success:  Senior leadership in conjunction with information security should decide what determines that their training and awareness program is a success. Some examples include a click rate of 5% or less on any phishing simulation exercise, a training module score of 80% or higher, or a report rate of 90%. While a goal of 0% click rate on a simulated phish looks good on paper, it may be unattainable in practice.

• A training cadence:  Before kicking off your training program, it is important to have a plan for how often you will host training sessions, send out simulations, and distribute newsletters. Choose a cadence that you can adhere to, and that considers your overall business objectives and risk tolerance.

• A reward system:  Many security training programs focus on penalizing users for engaging with a simulated phish or clicking on a real one. However, having a punitive program may cause users to fear reporting a mistaken click on a phishing link. This in turn could delay response times from your incident response team. Rather than focusing on punishments, spend time celebrating your successes. You may consider shout outs for those with a 0% click rate each month in a newsletter or even host a luncheon for departments with the lowest click rate.

• A communication plan:  A plan for communicating key cybersecurity priorities and initiatives to employees should be developed. Consideration should be given to the channel through which the communication will be performed, the frequency of communication, and the designated sender. Communications that evidence executive-level sponsorship will again reinforce the importance of cybersecurity as a priority.

To successfully drive engagement with training content, tailor the content of each training to the employees that will be enrolled. Consider their department, level of responsibility, technical skill level, and data they have access to. For example, you may develop a specialized or enhanced training program for IT personnel or senior leadership, based on the roles, access, and level of responsibility they have. Also, the outcomes of the training processes should be an improvement in security posture over time. The measures of success that you choose should provide insight into where reinforcement may be needed and whether the overall level cybersecurity awareness is improving from one period to the next. By measuring these trends, the appropriate changes to training can be developed and applied. 

Conclusion

Cybersecurity continues to become a board-level priority for organizations regardless of size and industry. Because humans often present the weakest line of defense against cyber-attacks, organizations are placing greater focus on building a more aware and resilient cybersecurity workforce. Companies that invest the time and resources in building these foundational elements of cybersecurity governance – established accountability, defined policy, and training – can see quick and measurable improvements in their security posture.

Interested in talking more about cybersecurity? Get in touch with us.