According to a recent report released by ISACA in association with the CMMI Institute, nearly 95 percent of companies continue to report a wide gulf between their desired state of cybersecurity posture and what they have available at present. This should be a concerning factor in the light of the recent pandemic that saw a 31% increase in cyber-attacks.
The Cybersecurity Culture Report sheds further light on the scenario with study results showing that organizations with high cybersecurity employee involvement reported 92% confidence in C-level leaders having an excellent understanding of underlying cybersecurity complexities. However, 42% also revealed that their companies also lacked a precise cybersecurity culture management plan or policy. Clearly, the problem is bigger than companies and their leaders or the arsenal of technology at their disposal – it involves the overall security culture in the workplace, and companies need to get a head start on defining theirs right away.
What is a culture of security?
While business leaders are apt to make calls on cybersecurity decisions on their assessment of technological capacity and risk – this leaves out the crucial element of human involvement that can at once be the greatest vulnerability or the greatest asset in overall cybersecurity posture. Cybersecurity culture is an all-encompassing policy and practice extending across the length and breadth of any organization with all teams, processes, metrics and tools unified by underlying security principles. While it can be challenging to incorporate in organizations with high structural complexities, it is crucial to implement at the earliest for the sake of the risk facing organizations and individuals working at or otherwise associated with it. Cybersecurity Ventures estimates that global cybercrime damages could amount to as much as $6trn by 2021. Managed IT Services Provider can be a great place to start making headway into implementing a culture of security at your organization.
Cybersecurity Workplace Culture: 5 Considerations for Employer and Employees
While improving cybersecurity posture will always be an evolving process, there are several things that companies and their remote workers can do right now to nurture the process of creating a culture of security and continue to improve the process.
Establish a Cyber Security Policy
Don’t assume that all employees are as cognizant of the priority of data security as the organization wants them to be. Many continue to lack awareness and may not simply recognize the signs when some things are amiss. This is especially true for employees not directly interfacing with customer data or working at a junior level. This is why it’s crucial to establish a clear, easy to understand and implement set of rules or policies around cybersecurity, so employees are aware and cognizant of their data security responsibilities. Make it mandatory for all new and existing employees to review and sign the policy, irrespective of their duration or mode of work. Remember that it’s critical for the policy document to be easily accessible and comprehensible, so employees are always aware of what to do, which tools to use, who to contact and how to respond to anomalies or an actual breach event. Most importantly, they need to be aware of their roles and responsibilities in protecting data security and how to comply with company expectations in this regard. IT Support 24/7 can help you collaborate with your team for risk tracking, patching and remediating vulnerabilities based on industry-leading strategies and tools.
Build security ownership among employees
Many employees and even departments continue to labor under the delusion that security is the responsibility of the ‘IT folks’ and leaders. This is simply not true. In order to implement a culture of security, organizations must make clear that security is a shared responsibility of all employees and departments. This needs to be drilled down through awareness initiatives from the top down to initiate an organization-wide cultural change. In order to start with a powerful statement, it may be a good idea to include the overall security vision of the company in the company vision and mission statements and ask team leaders to take ‘walk the talk’ example in attending organizational security talks and conferences, interacting with key opinion leaders and follow protocols religiously.
Adopt secure development lifecycle
Companies are rapidly discovering that they cannot divorce security from the process of developing software. The Security Development Lifecycle (SDL) refers to a software development process that combines various tools and awareness training to inculcate a more holistic approach towards cultivating security awareness. SDL can involve various activities, including threat modeling, gauging security needs, and performing rigorous security testing, all performed before a software or system release. With proper SDL techniques in place, companies can focus on building secure software that adheres to compliance and ultimately contribute to project cost reduction.
Reward and Recognize Employees
Make every employee feel heard when it comes to security queries and discussions and reward proactive engagement and initiatives. When every employee in the organization is involved in enforcing data security in a positive manner – a culture of security inevitably follows. Help engender a positive culture of threat detection and prompt action by rewarding activities like spotting and reporting phishing scams, patching software rapidly and unique password hygiene practices. While negative reinforcements like repeated security training or privilege changes for employees work as well for repeat offenders – it’s generally a good idea to let people think of cybersecurity as a challenge to overcome that’s threatening their organization and job security.
Make security fun and engaging
Nobody wants to sit through two-hour long click-through courses on cybersecurity practices – your employees have a lot to do otherwise. The only way to engage them productively in data security is to make training and awareness fun and engaging. Participation in simulated security attack events can be fun and also help your employees identify and deal with suspicious activities. You can score different teams just for fun and have the best teams face off against each other in a master security challenge. Healthy inter-departmental rivalry helps too in this regard. Other tools can include impromptu tests, email tips, and quizzes to keep your employees on their toes regarding security protocols and practices.
If you know your cybersecurity posture needs enhancement, consider reaching out to your local Managed Cloud Services provider for a thorough vulnerability assessment today.
About the Author: Nora Erspamer is the Director of Digital Marketing at New Charter Technologies, a group of companies specialized in managed IT support services. She is an experienced marketer and sales strategist with a demonstrated history of working in various technology industries. Skilled in strategic campaign development, lead generation, and marketing automation software. Her blog can be found at https://newchartertech.com/blog/.