We asked Joe Danaher, Chief Information Security Offices, about creating a culture of security awareness.
Why Should You Build a Culture of Security Awareness?
The risks to all businesses due to cybersecurity breaches are well-documented and they are growing. Most experts advise businesses to plan for a breach due to the likelihood of an occurrence. Your IT staff have likely also been asking for additional resources to help combat the very real threats of bad actors that want to steal your data. As an owner or executive at your company what is your role in all of this?
The stakes are high and the threats are very real. Organized crime syndicates with large budgets have teams working on the next malware attack even as you are reading this article. Likely they have more people and larger budgets than your IT team. Cybercrime does pay and that is why it continues to be a growing problem. You may have approved expenditures on some technical defenses and perhaps even approved a security awareness training program for your staff, but as a leader in the business, what have you done?
Make it Important.
Research into adoption and culture change at a business is proven to be more successful when there is leadership from the top down. Not only leading by example but also by ensuring your employees understand the importance you place on creating and sustaining a security aware culture. This can be accomplished through frequent communication to employees. Utilizing opportunities in staff meetings and communications on a frequent basis helps reinforce the importance management is placing on security awareness.
There are several key steps in successfully creating a culture of security awareness that you should be mindful of as you implement your program. Employees need to be motivated beyond why it will help the business for this to stick with them and become part of their culture. Since cybersecurity impacts personal lives, some of the training needs to involve practices and tools that will help employees protect their personal data on their own devices. Many of the same best practices that will be covered in a Cybersecurity Awareness Training program can be applied to their home networks and computers. This will help motivate them.
Another recommendation is to create healthy competition or rewards (the carrot) amongst departments or teams. This also helps emphasize the importance the management team places on the initiative and creates a “gamification” of the training. An example of this might be the highest scores achieved on the testing after the training or the fewest number of clicks on a phishing campaign email would get a pizza party.
Get Out of the IT Dept.
IT can be a cheerleader but management will need to gain the support of all departments and interested parties. The effort to create a culture within your business will need many proponents. The importance that management puts on the effort will be contagious through several other departments like HR, Medical Records and Legal to name a few.
Publicly recognizing employees is also an important aspect of developing and continuing the culture. This recognition should be from the top down and should be public. Perhaps highlighting a “good catch” an employee made in recognizing a phishing email or stopping a caller from gaining “insider” information are good examples. This helps to reinforce that the management team views such activity from employees as being exemplary of being a good employee. It also continues to keep security awareness on everyone’s mind.
Finally, the security awareness training should be kept simple and not be overly technical. The training itself should be easy to access and complete. Staff should have time provided during working hours to complete the training so self-paced web based training is often very effective, particularly if there is a meeting to act as a “kick-off” and a test at the completion of the training. These steps further demonstrate the value the management team places on this security awareness.
The focused training may be only an annual event, however to build on that and create the culture of security awareness, the management team needs to keep the topics of cybersecurity in the company “news” on a regular basis. Providing some mini-training tips weekly or monthly keeps the training current and emphasizes the importance of the topic to the employees. The management team leadership creating this culture of security awareness from the top down will help establish cybersecurity as a priority with the employees. Integrity IT has experience with helping business management teams through this process and we have the tools to create a solid foundation for your security awareness program.