It's been a crazy couple of years, and things are still changing rapidly all around us. But you don't need me to tell you that; you're probably living it in your organization already. In the IT sector, we've gone through a global chip shortage, the postponement of major tech events, the delay of product launches, and perhaps most importantly, almost all companies shifted almost completely to remote work.
This sudden shift to remote work caused a chain reaction of events among which was a sudden and huge uptick in cyber attacks. The FBI has reported a 300% increase in cybercrimes in the US since the start of the pandemic.
Even after the pandemic, most companies are opting for at least a hybrid model of work, and this is driving changes in their approach to cybersecurity. And organizations and cybersecurity teams are coming with new strategies to cope up with this new environment.
Cybersecurity professionals have started emphasizing the role of the organizational culture. More than anti-virus software and firewalls, the employee perception of threats and the individual notions of cybersecurity are playing an increasing role in keeping an organization and its digital assets secure.
And in tune with this, there’s been a focus shift to building a strong cybersecurity culture within organizations.
What do we mean by "cybersecurity culture"?
Cybersecurity policies of most organizations revolve around the cybersecurity team or department. The team, along with the CISO (Chief Information Security Officer), prepares the security policy for the organization and prepares strategies based on the available resources, the risk involved, and other factors. Cybersecurity culture is about decentralizing cybersecurity responsibilities to everyone in the organization.
Let’s take a look at "organizational culture".
An organization’s culture defines how employees conduct themselves in their work environment, whether in an office or work-from-home situation. It dictates how employees communicate, the boundaries, the way they dress or present themselves, and what’s expected of every employee. A cybersecurity culture attempts to reduce the overall cybersecurity risk by strengthening an organization’s weakest link and its most valuable resource: its people.
Cybersecurity culture leverages the organizational culture to reduce the security risk.
Instead of defining protocols for every situation or sending out monthly emails reminding employees to change their passwords, a cybersecurity culture ingrains best security practices within the workforce. Rather than telling the employees what to do, the focus is on making the employees aware of the risks involved and the best practices. The approach empowers employees to make decisions in their activities taking cybersecurity into account.
For example, often in organizations, the cybersecurity teams may implement two-factor authentication for all devices or accounts the employees are using. But if a team is developing a product for internal use, security often becomes an afterthought. With a good security culture, the same team will be motivated to proactively bake in security features to the product from scratch.
Effective cybersecurity culture is making security second nature among the employees, just as digital collaboration, or clocking in and clocking out every day.
How do you build a cybersecurity culture?
The sudden rise of the need for a cybersecurity culture was driven by the pandemic. Ransomware attacks and phishing emails became much more common. Employees and their devices were more prone to attacks, and the IT team or the cybersecurity team alone couldn’t handle the threats. While asset management tools and AI threat detection have been proven to be useful, all employees have to play a more active role to ensure the digital security of an organization.
Besides phishing, a remote and distributed workforce creates other cybersecurity issues as well. Unlike an in-office situation, the employee devices are not physically secure while working remotely. One of your team members may leave their laptop unattended at a cafe or there may be a burglary at their house.
The risks of shadow IT are also higher during remote work. Employees are more likely to use tools or software that they feel are best suited for their work without the knowledge of the IT department. This can create unknown risks for the organization.
A team that is aware of cybersecurity risks, that proactively takes security-oriented decisions, that cares about cybersecurity even when no one is looking, can significantly mitigate the cybersecurity risks and create a cyber-resilient organization.
Strategies to build a culture of cybersecurity
Here are a few strategies that experts recommend to build a robust cybersecurity culture
Build support from the top.
This is one of the first and most important steps to build a security culture. The organization will have to allocate resources for this initiative and support from the top management can streamline the implementation. It’s important that the management understands the need for a cybersecurity culture, its benefits, and how it can save expenses and reputation in the long run.
Executive participation will also help other employees understand its importance and drive them to join the initiative. A cybersecurity champion among the executives can motivate the organization as a whole to sharpen its cybersecurity skills.
Raise awareness within the organization.
Employees who are aware of the impact of a cybersecurity incident and how simple measures can avoid it are more likely to work with your initiatives.
Dr. Dawud Gordon, CEO of TWOSENSE.AI, is working with the US Department of Defense to develop defense-grade cybersecurity. We spoke to him about how to build a culture of cybersecurity in an organization. He says: "If employees are educated about the impact of a potential breach, they're much more willing to change their behavior to prevent that worst-case scenario.”
"Knowing that the phones will be ringing constantly as worried customers call every line they can reach, that random employees will be asked for quotes by the press, and that lawsuits could require a painstaking discovery process can change how people perceive security inconveniences.”
Dr. Dawud Gordon
CEO of TWOSENSE.AI
Carrots, not sticks.
Most cybersecurity experts agree that punishments or a culture of shame is not the way to go. You may notice that some members of your organization may be alarmingly lax about their cybersecurity practices. Understand that the whole point of building a cybersecurity culture is to understand and correct them.
While punitive action may give you short term results, the team won’t understand or appreciate your goals this way, and the results may die out in the long run.
Rewarding good behavior is likely to encourage participation and your team will have a positive attitude towards the program. Applying gamification and making it fun within the company culture, getting your employees to talk about it. Brand your cybersecurity culture, and launch swag like laptop bags or hoodies with the branding, and award them to top performers.
Don't just "set it and forget it."
Cybersecurity culture is not something you can implement with just one or two seminars or office memos. It’s a continuous process, it’s a cycle of implementing, measuring, analyzing, and revising the strategies.
Threats are constantly evolving and you have to keep iterating your strategies to keep your employees prepared
Roll out your initiatives gradually.
Don’t try to implement every cybersecurity policy in one go. Start small and build upon it. The most common mistake is "trying to boil the ocean,” according to Dr. Gordon. “Many security teams try to implement every cybersecurity best practice at once across an entire organization. That's a recipe for disaster - users are shocked by the new inconveniences, and security teams are overwhelmed trying to fine-tune the new policies.“
Don’t stress out your organizations, and make sure they don’t feel like it’s something they have to do. To build a culture, your team must want to do it; they should understand the importance, and they should be on your side.
Arm your team with the right tools.
This one might seem like a no-brainer, but it's an essential part of fostering a culture of cybersecurity. Help your teams to internalize these concepts by providing them a tool that helps keep these issues at the forefront. Invgate Insight's IT security and cybersecurity compliance capabilities allows you to detect whether assets meet your organization's security standards, as well as other external compliance needs. It flags those assets that require special attention, as well as detect assets running unauthorized software, and check assets with upcoming warranty expirations.
How Yahoo created a culture of cybersecurity
The cybersecurity culture built by Yahoo’s cybersecurity organization (nicknamed "the Paranoids") is a fantastic example, and it was documented in this case study by Harvard Business Review.
The organization brought together the red team, the security awareness team, and the behavioral engineering team, which were all operating separately within the company.
The first step they took was to clearly distinguish between actions, habits, and behaviors. Habits were a shortcut for repeated actions, and behaviors were defined as a combination of habits and actions within a context. For example, using a VPN was considered an action, and training employees to instinctively toggle a button to connect to a VPN forms a habit. Behavior would be the employees using a VPN every time they had to connect to the company servers.
Once they defined these, they were able to define behavioral goals. The goal wasn’t an action or a habit, but something the team wanted the employees to do in a specific situation. Once they set up the goals, the next step was to understand the baseline, and start implementing measures to change them. An important aspect of setting the goals was to ensure no one had to measure them qualitatively.
For example, the team recognized that the employees were vulnerable to phishing attacks through fake login pages. Paranoids identified three metrics.
- Susceptibility rate: number of employees who entered credentials, and didn’t report the emails divided by the total number of emails sent.
- Credential capture rate: number of employees who shared/entered their credentials with the fake page and didn’t report the link/ divided by the number of people who landed on the phishing page.
- Reporting rate: the number of people who reported the emails divided by the total number of emails sent.
Through competition, rewards, and recognition, the team created changes across the organization and modified the behavior of their employees, building a robust cybersecurity culture.