{"id":20377,"date":"2020-01-16T09:47:03","date_gmt":"2020-01-16T08:47:03","guid":{"rendered":"https:\/\/vantisco.it\/?p=20377"},"modified":"2020-01-16T09:47:03","modified_gmt":"2020-01-16T08:47:03","slug":"five-strategies-for-cultivating-a-cybersecurity-culture","status":"publish","type":"post","link":"https:\/\/vantisco.it\/it-services\/2020\/01\/16\/five-strategies-for-cultivating-a-cybersecurity-culture\/","title":{"rendered":"Five Strategies for Cultivating a Cybersecurity Culture"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-20378 alignleft\" src=\"https:\/\/vantisco.it\/wp-content\/uploads\/2020\/01\/Cybersecurity-Culture-300x211.png\" alt=\"Cybersecurity Culture\" width=\"300\" height=\"211\" \/>In today\u2019s business environment, the culture of an organization is a known driver of a company\u2019s success. A well-known study from Deloitte looked at the impact of core beliefs and culture on the success of an organization. It found that \u201cexceptional organizations create and sustain a culture that engages and motivates their employees\u201d. The same is also true for the <strong>cybersecurity culture<\/strong> of a business. Here are five strategies that you can use to cultivate a successful cybersecurity culture in your organization.<\/p>\n<p><strong>Focus on Benefit<\/strong><\/p>\n<p>Do you think of security as a benefit? Do your employees? In a cybersecurity culture, the answer should be a resounding \u201cYES!\u201d to both of these questions.<\/p>\n<p>We have all experienced the dreaded \u201cannual training\u201d requirements of a job\u2014boring, disconnected content served up in a boring environment. If this is your employees\u2019 attitude in relation to your cybersecurity training, you may have won the battle of checking off that employees have been trained, but lost the war of building a secure organization. What can you do to change this?<\/p>\n<p>Use breakthrough internal marketing campaigns to nurture the attitude that security enables other goals. Your messages should be focus on the benefits of strong security\u2014such as boosting organizational reputation and allowing work from home\u2014not the sacrifices. At the same time, take conscious steps to minimize the burden of compliance on employees.<\/p>\n<p>Extend security awareness beyond the workplace, to home and family. By helping employees address personal cybersecurity concerns, you are building good habits and a \u201csecurity mindset\u201d that will also benefit the workplace.<\/p>\n<p>Calculate the full cost of compliance for your organization, including your employees\u2019 time, annoyance, and effort. And once you know the real cost of compliance, minimize it! Research indicates that the more employees perceive compliance as costing the organization, the less likely they are to comply. One means of reducing costs is to automate security wherever possible, such as using Multi-Factor Authentication (MFA) and applying the Principle of Least Privilege (PoLP) when applying access controls. Automating controls can help alleviate the costs of compliance and integrate security practices into workflows almost imperceptibly.<\/p>\n<p><strong>Build Knowledge<\/strong><\/p>\n<p>Do your employees have comprehensive knowledge of your company\u2019s cybersecurity systems and their role in your strategy? They should.<\/p>\n<p>Occasional emails about new risks are not enough. Once a year compliance training is not enough. Your cybersecurity training should be as robust as your safety and ethics training programs.<\/p>\n<ul>\n<li>You must communicate to employees the organization\u2019s cybersecurity and compliance standards, as well as best practices and expectations. If you do not, you cannot properly measure compliance, nor hold employees accountable for their actions. All employees should have ready access to policies, resources, and information from a knowledge base, hotline, or their managers.<\/li>\n<li>You can support depth of knowledge through rigorous training, close supervision, periodic monitoring, testing, and simulations. Although Intensive training and monitoring may be perceived as expensive in terms of money and time, it only takes one untrained person to cause a breach.<\/li>\n<li>Building that knowledge will pay off in employees who recognize and report anomalies. A clear understanding of normal security operating procedures allows employees to quickly catch when something (or someone) is out of place. This is true for as simple a scenario as an employee finding a door to a secured area propped open and notifying security, to your web master noticing suspicious code on a web page and researching the source.<\/li>\n<\/ul>\n<p><strong>Develop a Questioning Attitude (Don\u2019t know? Not sure? Ask!)<\/strong><\/p>\n<p>Do your people refrain from intentionally violating protocol and immediately self-report mistakes? If not, why not?<\/p>\n<p>People make mistakes. Whether consciously or carelessly, your employees will break protocols and shortcut procedures. In a 2018 study from Shredi-it, it was found \u201cone-third of working adults in the U.S. admitting to potentially risky behavior at work\u201d. This is a security risk that can be mitigated by encouraging employees to develop a questioning attitude.<\/p>\n<ul>\n<li>You can support integrity by eliminating the fear of honesty and increasing the consequences of dishonesty. Encourage employees to report innocent mistakes. An inadvertent click in a suspicious email should be reported without fear of censure.<\/li>\n<li>Treat unintentional, occasional errors as learning opportunities, but give no second chances for intentional violations. When there are no second chances for intentional violations or dishonesty, workers are less likely to take shortcuts and more likely to report errors right away.<\/li>\n<li>Ensure your company has a simple reporting mechanism that is quickly and easily accessible by all employees, and that performance policies explicitly support integrity in relation to cyber security.<\/li>\n<\/ul>\n<p><strong>Identify Champions<\/strong><\/p>\n<p>Quick, can you name five people in your organization who are rock stars when it comes to cybersecurity? Why aren\u2019t you tapping into their potential as leaders?<\/p>\n<p>Relationships matter in any culture, including cybersecurity. Relationships with supervisors, colleagues, and top managers affects compliance with security policies. These relationships increase personal connections to work, therefore enhancing motivation.<\/p>\n<p>Starting a \u201cChampions Program\u201d for cybersecurity will help to encourage positive, trusting relationships that enhance your organization\u2019s cybersecurity readiness. Open, regular communication about strategy, goals, performance, and challenges can help cultivate relationships and enhance belief in the importance and effectiveness of cyber security policies.<\/p>\n<ul>\n<li>Executive support is essential for the success of a security champions program. Identify and document a phased-approach business case (with adequate funding) and present it to those at the top. Emphasize the connection of the program to core business objectives.<\/li>\n<li>A champions program must be organization-wide. The program should have contacts for each role and location in the company. These should be colleagues who understand the role of the employee, but also the challenges of executing that role securely.<\/li>\n<li>Determining who will be your security champions in an organization should fit the ethos of your company. Frame the program as an employee development and growth opportunity based in peer networking. One method is to use a nominations-based approach (manager, peer, or self) for identifying participants.<\/li>\n<li>Champions should first be trained in cybersecurity, then for their role as a champion. To be clear, these are two different skill sets. Participants should be confident in the cybersecurity aspects of the organization, as well as have strong interpersonal skills including communication, active listening and motivation.<\/li>\n<li>Provide your champions with easily-accessible materials they can use for reference and to reinforce consistent messaging. Allow them to take standard materials and create content that is specific to the roles and people they are supporting.<\/li>\n<li>In order to continue building your knowledge base, create an easy and effective tracking system for questions or concerns that champions receive consistently. This is an important way to make sure that the content and messaging are working for an organization.<\/li>\n<\/ul>\n<p><strong>Reward Secure Behavior <\/strong><\/p>\n<p>Do you reward your employees when you find them following cybersecurity best practices and protocols? Why not?<\/p>\n<p>Breaches are scary. The money, time, and business that can be lost as a result of a breach may lead some organizations to use fear tactics with employees to try and change their behavior. By doing so, we create employees who only react when something bad occurs. They will fail to be engaged in the real day-to-day strategy of cybersecurity culture.<\/p>\n<p>A century of research shows that threatening punishment can be a powerful attention-getter. However, just raising awareness does not equate to encouraging employees to behave in the right way. In fact, it can have the opposite effect of clouding their minds with fear. This is precisely why phishing emails work well &#8211; they contain warnings and threats which cause the recipient to respond out of fear. Recent research specifically around cybersecurity has shown that positive reinforcement will get you much farther to eliciting the right behavior.<\/p>\n<p>In a recent article for InfoSecurity Magazine, Arun Vishwanath discussed and weighed these methods, from threatening employees who click on phishing emails with more extreme punitive measures to financially rewarding those who report them. He noted that \u201csocial rewards such as public praise, recognition and appreciation through announcements acknowledging those users who have reported suspicious emails, along with appropriate communication, shows the value of this reporting works better than all other approaches.\u201d.\u00a0 He concludes the article by noting \u201cEffectively harnessing the power of employees through the use of appropriate strategies for incentivizing reporting is the difference between organizations that are reacting to cyber-attacks and those that are proactively stopping them.\u201d<\/p>\n<p>In the fast-moving field of cybersecurity, it is easy to fall into the trap of thinking (hoping) that with an annual security awareness course, you have the \u201chuman factor\u201d covered. But getting your people to reliably comply with policy requires a multi-faceted program of regular and open 2-way communication, engaging relevant training and internal marketing, grass roots promotion and positive reinforcement. The good news is taking steps to address the five components discussed in this post will take you a long way down the road to building a cybersecurity culture in your organization.<\/p>\n<p>Reference: <a href=\"https:\/\/www.globallearningsystems.com\/\">Global Learning System<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In today\u2019s business environment, the culture of an organization is a known driver of a company\u2019s success. A well-known study from Deloitte looked at the impact of core beliefs and culture on the success of an organization. It found that \u201cexceptional organizations create and sustain a culture that engages and motivates their employees\u201d. The same&hellip;<\/p>\n","protected":false},"author":7,"featured_media":20378,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_jetpack_memberships_contains_paid_content":false,"wds_primary_category":0},"categories":[17],"tags":[27],"class_list":["post-20377","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","category-17","description-off"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/vantisco.it\/it-services\/wp-json\/wp\/v2\/posts\/20377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vantisco.it\/it-services\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vantisco.it\/it-services\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vantisco.it\/it-services\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/vantisco.it\/it-services\/wp-json\/wp\/v2\/comments?post=20377"}],"version-history":[{"count":0,"href":"https:\/\/vantisco.it\/it-services\/wp-json\/wp\/v2\/posts\/20377\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vantisco.it\/it-services\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/vantisco.it\/it-services\/wp-json\/wp\/v2\/media?parent=20377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vantisco.it\/it-services\/wp-json\/wp\/v2\/categories?post=20377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vantisco.it\/it-services\/wp-json\/wp\/v2\/tags?post=20377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}