You know it. We know it. Information Security is not just the domain of your IT staff. As a cyber security professional, you are undoubtedly aware of the part all employees play in the overall level of cyber security within your business. You know that to mitigate risk in Information Security you need to radically overhaul your company culture to reflect cyber security vulnerabilities and what each and every employee can do about them.
When the corporate culture in your business has been shifted to one that takes a serious and holistic approach to cyber security then there will be enormous benefits. When cyber security vulnerabilities are part of general awareness and general response then the result is far more disciplined methods of business, which are ultimately good for the bottom line. Additionally, a culture of cyber security improves and builds upon both customer and stakeholder trust. With branding being essential to your success, reliable cyber security makes you a brand to be trusted. And of course, there is the reduced overall information security risk that comes about from a cyber security culture.
Ignorance is bliss until that ignorance is the cause of a problem. Your first step is to identify the problem areas within your business and start to raise awareness about them. By raising awareness you remove ignorance as a defence and start to create the building blocks of a corporate culture dedicated to upholding cyber security. One of the easiest ways to do this is through the creation of an Information Security Policy which forms part of your Employee Handbook.
High on your agenda should be training for all employees on cyber security and their responsibilities within that. Once employees are aware of the problem, they need to be given the tools with which to act. Regular and repeatedly refreshed training should cover issues such as how to access, manage, utilise, store and destroy data. Whilst your domain is behind the computer screen, don’t forget that this training must extend to both physical and digital data if you are wanting a holistic approach to data security.
Employees need to be trained to understand how their actions and inactions can expose their company to security breaches such as theft, fraud and data loss. Whilst you can’t mitigate all security vulnerabilities, they need to understand their part.
Don’t stop once the training course is finished. The benefit of training is improved when the message is repeated regularly. Therefore utilise internal communications to refresh and remind employees about their responsibilities towards cyber security. This might best be achieved through email, or the intranet and newsletters.
Many employees who work regularly and routinely with digital data, can gradually filter out important messages about information security in the pursuit of ease. Therefore, you might send an email reminding employee about data protection and information security, or you might flag it up on the intranet, but some employees will delete the message before it is even read. Therefore, extend your reach beyond the computer screen and ensure a physical presence around the office. For example, you might put up warning and reminder signs near printers, shredders and in the staff canteen, or raise the topic at town hall meetings.
Company culture often reflects the nature of the senior managers and board members. Therefore, none of the above steps will be effective without getting the top level of the company on board and encouraging them to feed down a culture of information security.
To do this you need to identify their motivation. Both a carrot and stick approach can be taken. The benefits of a good cyber security culture need to be highlighted. Senior management and the board need to understand that reputations can be bolstered by excellent cyber security. Additionally, they need to understand the flip side of the coin. Cyber security professionals need to convey to the most senior staff exactly what a cyber security breach might look like in their individual circumstances and the financial, legal and reputational damage that it may cause.
Further, you need to ensure that a collaborative approach is taken by senior management whereby every department understands they are on the same side with information security. Securing cyber security vulnerabilities is a complete team effort and not a competition.
In order to ensure that you build a culture of information security that continues to adapt whatever the current cyber risks you need to continually review the above 5 strategies. In so doing, your cyber security culture will help to mitigate risk and keep your business and data secure.