The culture of cybersecurity is an organization’s attitude towards information security, assurance, and privacy. Security culture requires the sharing of knowledge about potential threats as well as anticipating and communicating about threats that an organization may face in the future. A good security culture can be developed by employing an effective security program that is consistent, adaptable to the organization’s needs, measurable, and can be sold to all employees. An information security program that is designed to spark a cultural shift has three basic elements: security awareness, training, and education.
Here is a four phase approach to instill a good cybersecurity culture.
You will need a few brainstorming sessions to answer the following questions.
The very first step when introducing a security awareness program is to understand where do employees stand today. How much attention to they pay to the information security breaches around the world? How much do they understand the misuse of IoTs? And most importantly, do they know how to protect their personal and professional data?
A phishing campaign would be a good start, assuming you already have management’s buy-in. Send some emails with malicious links, drop some USB drives in the parking lot, or call the help desk to reset the passwords. The results will give you an idea of where you need to go to get your employees better prepared for cyber threats.
Understanding regulations and frameworks that impact your organization will set focused areas for your training. HIPPA, PCI-DSS, and GLBA are some of the standards that affect health, credit card processing, and financial organizations, respectively.
During the first 30 days of your awareness campaign, you can conduct your phishing tests and meet with the managers and employees to understand what their pain points are with cybersecurity. Do they understand the value of the data they process? Are they ignoring the basic checks because they believe these additional precautions may impede their progress?
Employees need to understand that your job is not to hinder their productivity but to help them carry on their work securely.
Security awareness is the prelude to security training. It provides a general awareness of cybersecurity and prepares employees against low-level threats. Security training teaches employees how to perform their job securely and educating involves learning new techniques and skills to enhance an organization’s security posture.
Understand your audience. Are they technical or non-technical? If they are non-technical, then you may want to avoid using technical jargon in your program. It will also help to know if your audience consists of entry-level, middle management, or executive employees. Moreover, identify any specific behavior you would like to focus on. For instance, if people are leaving their computer screens unlocked, then it will be useful to discuss the risk of leaving a computer unlocked.
All users need to understand the importance of security and the consequences of its failure. During the security awareness program, you will notice that some of your coworkers in various departments are more engaged than others. These employees can be your security program ambassadors and can reinforce the security culture in their departments. The recognition of these program ambassadors in newsletters or company-wide events will attract other employees to get involved and help create a culture of cybersecurity.
Awareness and training are usually topic-specific and focus towards a group of employees. The education, however, refers to a robust effort to increase employees’ skills and to meet management’s mandates. Think of a secure development course that may last few weeks. While proven useful, education can be costly and put a resource constraint on an organization.
Now that our Security awareness program has been created, we will use our program to initiate behavioral changes towards a security-minded model.
Most employees believe that security is the sole responsibility of the information security team. Sustainable security culture requires that everyone in the organization assumes the responsibility.
Security liaisons are your ambassadors and security advocates in each department. During the security awareness sessions, you will notice a few individuals will show more interest in the training. These individuals are your candidates for information security liaisons. They will assist you in promoting the security culture in their department. Employees are more willing to make a change if their peers are driving it.
Make the security program fun: Pass out swags with security tips, share an interactive security quiz, etc.
Some employees will go above and beyond their call of duty to protect the organization. Recognize them. A $25 gift card to a favorite coffee shop or a gift card to a book or music store will go a long way. You can also buy lunch for any department that completes the security training with the best scores.
Measuring the effectiveness of your security program can be a challenge. How do you track a change in employees’ behavior? If the security program has been effective, then a few differences should be visible. For instance, fewer employees are clicking on the phishing links and more employees are reporting suspicious emails or behavior, etc.
A survey can be used to capture employees’ feedback. It will help optimize the program and will keep the employees interested. Meeting monthly with your information security ambassadors over lunch and lessons learned help ensure the continuity of the program.
Patience and consistency is the main ingredient of a successful cultural shift. The change will not happen overnight. It will take significant effort and continuous tweaking of the program.