The culture of a company has always been important. Having a strong, unified company culture that highlights the values and attitudes of a business can help to build relationships internally, as well as encouraging employees to act as a team. It also attracts and retains better talent, and contributes to brand identity. But company cultures must not only be healthy, they need to be secure.
A ‘security culture’ – the values set by an organisation that determine how employees approach and think about the company’s security – can deliver an immeasurable benefit to your business. For no amount of security policies or controls will prevent a security breach if staff don’t follow management policies. Technical control is never perfect and can often be circumvented by people, and policies can easily be ignored.
But how do we foster this culture as managers?
Spread the news
Most businesses are likely to be specifically targeted by hackers with a fixed goal, rather than fall victim to generic phishing scams. In fact, 80% of all malware is unique to an organisation, meaning hackers are thoroughly researching their targets. Providing concrete examples of how much a security breach can cost a business can help the executive team understand the security threats to a business, and provide support in educating others. However, when it comes to appealing to all employees, it really does pay to highlight the risks associated to their team or role specifically.
It’s likely that the finance department won’t be overly interested in a story about IT administrators being targeted, but more interested in a story about CEO fraud. By tailoring your pitch to each department, you can highlight the importance of having a secure culture across the board and not just to the IT team.
Though this approach can be time intensive, it will pay dividends in the long run. Keeping key stakeholders engaged – like the CFO, for example – can also benefit, as they will be able to spread the word via internal meetings.
Providing a secure education
The first line of defence should be the infrastructure that we operate, including firewalls, antivirus, and anti-spam security solutions. Even by implementing pop-up and web blockers, our IT teams are able to provide additional protection to the network by blocking malicious and virus-infected websites.
Of course, it is possible that the infrastructure will falter, in which case we need to ensure our employees can protect themselves, and their work. Given that 66% of malware is installed via malicious email attachments, we need to be certain that our employees are educated in avoiding these attacks.
One of the more effective ways of fostering a security culture in the workplace is sharing information to build awareness of the need for internal security, and educating staff on how to identify threats and remain secure, not just via sharing news stories. But to be successful, this needs to be done in an efficient manner; awareness material that appeal to the IT team, for example, may not be as effective or resonate as well with less technically focused staff.
If you have an internal marketing department, it may be worth working with them to develop memorable materials to build internal awareness – think stress balls, posters, and so on. Alternatively, you may look towards companies that specialise in cybersecurity awareness programs to educate employees.
After all, how can you expect people to spot phishing attacks if they’ve never been taught to do this? While not every company will have the budget for internal marketing campaigns or frequent training sessions, it is important to ensure all staff are informed of the importance of cybersecurity. Smaller companies may look to attending training sessions on cybersecurity, or hosting a training session once a year for employees, and developing a fact sheet for new hires.
The future workforce
What if training happens before someone joins the company? Establishing security as a priority from the very start, and including information as part of the new-starter process, will pay dividends a few years down the line. New employees are likely going to feel overwhelmed on their first day so it’s not the time to go into detail, but planting the seed on day one by including information about security in a starter pack, and nurturing it in the initial weeks, is a great way to keep employees informed.
It’s important to use every touchpoint you can. It may also be worth having the service desk remind new joiners about security when they receive IT equipment, or including a shortcut to training materials on the desktop or a click-through reminder on their first login.
Keeping employees up to date with the latest security news and protocols for a company is a great way to keep them informed and on the same page. It also helps to unite the team and foster that all-important culture – no matter where people are in the company, and if they started five years or five days ago.