A Strong Cyber Security Culture Is Your Best Defense

Image credit: iStockphoto/illustration

2020 has been a year like no other, with organizations in Asia and around the world facing increasingly sophisticated cyber-attacks coupled with COVID-19 scams.

The latest threat report from VMWare Carbon Black noted that 80% of Singapore organizations have suffered a data breach as a result of a cyber-attack in the past 12 months. More worryingly, 93% of all Singaporean respondents stated that they had seen an increase in overall cyber-attacks due to employees working from home with the onset of COVID-19 and lockdowns occurring in the country.

While IT professionals worldwide have some thorough and detailed frameworks and guidelines to use when it comes to developing a robust information security strategy, there is one often overlooked component — the human element. It only takes one employee to click on a link in a phishing email to endanger an organization.

Nurturing the human element

Creating a robust cybersecurity strategy includes having a strong cybersecurity culture embedded throughout the organization, engaging employees’ hearts and minds.

A recent security culture report from KnowBe4 noted that some industries such as banking, financial services, and insurance fared significantly better than others. But there was still much improvement needed to ensure that employees understand the importance of their own security hygiene when it comes to safeguarding the organization and its data.

If not defined, culture is formed by people, their attitudes, values, unconscious bias, and overall approach to the world. Unchecked, group thinking emerges, silos form, and if not careful, you may find yourself amid a toxic culture.

Cybersecurity culture is not just completing training or reporting phishing emails. It’s the unseen and sometimes unmeasurable situations that occur and the subsequent response.

Organizations should strive to attain a culture where employees are aware of their responsibility to keep things safe, the cyber threat landscape, and the tricks cybercriminals use. It’s also essential for staff to be mindful of the organization’s policies regarding keeping everything secure, understanding what is acceptable online behavior, spotting the red flags, and reporting any potential phishing emails.

Defining cybersecurity expectations

Below are some pertinent questions that you should consider when you’re looking to define your cybersecurity expectations:

1.     What attitudes do you expect employees to have towards security?

2.     What behaviors do you want to change or see?

3.     Do staff have an understanding, knowledge, and sense of awareness?

4.     How do you go about communicating with employees?  Do they feel like part of the solution?

5.     Have you considered and included staff in your policies, and do they know what to do?

6.     When it comes to the unwritten rules of conduct at your organization, have you thought to include cybersecurity?

7.     Lastly, and perhaps most notably as without it you are doomed to fail — do employees understand why cybersecurity is everyone’s responsibility and that they have a critical role to play?

Once you have the answers to these questions, you are on your way to developing your cybersecurity culture and securing your organization. 

Creating cybersecurity awareness among employees

To create a strong cybersecurity culture within your organization, it’s also imperative to ensure that your employees have a good understanding of cybersecurity. Below are some tips on how you can go about this:

  • Start immediately. From the moment employees are hired, they must be immediately given comprehensive, personalized security awareness training. The training should be fun and discuss examples that provide guidance on an employee's private digital life. 
  • Button in the ear. Make it clear to employees that they have to ask themselves whether they can be trusted with every email, attachment, or USB stick.
  • Explain why. It is essential to adequately explain why being cyber safe is so important. Explain the existence of phishing emails based on existing business cases. In this way, loss of money or reputation damage becomes tangible for the employee at all organization levels.
  • Reward good behavior. Rewarding safe behavior with a positive incentive works. Protecting your data, for example, through a password manager, is often not much work. If you also get something in return, employees will be more willing to follow the rules.
  • Keep updating knowledge. Monthly, joint IT and HR updates keep all employees’ safety awareness at a high level.

Having a good cybersecurity culture is vital for your organization to keep its cybersecurity defenses up and avoid falling victim to a cyber-attack. After all, your employees will be your organization’s last line of defense more often than not.

Jacqueline Jayne, Cybersecurity Awareness Advocate, KnowBe4 APAC, authored this article.

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of HR&DigitalTrends. Image credit: iStockphoto/illustration