Seven ways to develop a cyber-security culture
Organisations can protect themselves in the following ways:
1. Involve all parts of the organisation in developing and regularly reviewing cybersecurity policies. Policies help define the expectations you have of everyone that works with your organisation’s IT systems and data – “everyone” is defined as directors, managers, users and IT people. For example: What is an acceptable use of systems? What are the expectations for employees who need to connect to internal systems remotely? How should technical staff administer technical controls such as a firewall?
2. Involve employees in reviewing the processes and procedures they follow so as to increase their engagement and vigilance, and build security in day-to-day operations.
3. This review will help increase the understanding of what vulnerabilities exist in the current environment. The pace of technological adoption is increasing so, when new business initiatives are launched with different technology, ensure that security is a key consideration in the design phase. Building cybersecurity in from the outset will enable the organisation to become more robust and be able to adopt technology with more confidence.
4. Change the organisation’s mind-set from regarding cybersecurity as an overhead, to seeing it as a business enabler. The cultural, process, procedure and engagement required for good cybersecurity practice are also good for business as a whole.
5. Implement the organisation’s cybersecurity policies and procedures (they are no use just sitting in a folder!) and align organisational accountabilities to ensure this happens. Improving or changing cybersecurity culture requires ongoing work to ensure the policies and procedural information are understood and complied with.
Consider undertaking simple testing to validate team members’ comprehension of the material. Also the use of phishing and whaling attack simulation services that can send out fake test emails and measure how many people take the bait will identify users that may need additional training.
6. Look beyond what your own organisation is doing to protect itself and also take all aspects of the supply chain into account so as to ensure your supply partners also have adequate protection against attack.
If the organisation contracts or outsources business functions or part of its supply chain then be sure to assess the sensitivity and value of the company information that is provided to these third parties. They should handle and store that information securely and ensure it is deleted when no longer required.
7. Don’t just communicate to employees – communicate with. Be sure to check their understanding when advising them of steps they can take to protect the company against attack. Engaging employees to discuss threats and options to minimise them very likely will see them provide some useful insights and ideas.