Four Tips to Build a Security Culture
We know that robust cybersecurity programs are crucial. What’s equally important – and often overlooked – though, is communicating your program to your staff and clients. You can have the strongest cybersecurity program, but the simple fact of the matter is: if no one knows their roles or follows your policies, your business will be exposed to unnecessary risk. In fact, the biggest threat to your cybersecurity is human error – these events account for nearly 90% of all cyber incidents.
And while cybersecurity measures like firewalls and antivirus software are essential, cybersecurity risks cannot be mitigated with technology alone. People – both internal (staff) and external (clients and vendors) – are key parts of the puzzle.
It’s no surprise, then, that Luke Kiely, cybersecurity expert and SmartVault Chief Information Security Officer, says, “Educating people is the primary driver to ensuring they adopt your cybersecurity program and associated policies.”
It’s not as simple as asking people to read your program, though. You need to create a security culture, which the National Protective Security Authority defines as “the set of values, shared by everyone in an organization, that determine how people are expected to think about and approach security.”
Building and maintaining this culture requires effective, ongoing communication that ensures everyone understands and takes accountability for keeping data safe. It also needs to be a priority from the top down. Executives and managers must understand the importance of cybersecurity and lead by example.
This whitepaper summarizes key tips and insights from cybersecurity and accounting experts on how to communicate your program and build a security culture.
Keep Training Simple
“Having simple policies and procedures for staff to digest and follow is the starting point to a successful program,” Luke explains. Avoid overwhelming staff with technical jargon and too much information. Instead, Luke recommends “keeping it simple and focusing on key policies relevant to each person’s role.” Also, don’t just rely on one form of communication, as people learn in different ways. Offer a mix of in-person training, videos, ‘how to’ guides, FAQ articles, and more.
Focus On the Why and the How
A common mistake businesses make is centering the training on why cybersecurity is important; while that’s crucial for your team to understand, your training needs to be much more robust to be effective.
“You have to teach them what their specific role is and how they should respond to a cyberattack,” Luke explains. “When you think about phishing emails, for example, it is critical that staff are trained to identify them and what to do if they receive one.” Luke also encourages businesses to take training further by rehearsing cybersecurity incidents and practicing their response plans. “These rehearsals include your staff, but also IT, legal, senior management, and potentially your HR and public relations teams…anyone who will be a critical decision-maker in the event of a cybersecurity incident.”
Educate and Train Multiple Times a Year
Cybersecurity threats constantly evolve, so it’s important to ensure staff understand and follow the latest best practices. Quarterly or biannual training helps keep policies top of mind. If you think your staff will balk at multiple trainings a year, consider how it’ll help them in their personal lives as well. Hackers, after all, don’t just attack businesses. Your staff can implement what they learn through the training to protect their personal accounts.
Avoid the Blame Game
When errors happen, you must balance accountability with learning. “Do not criticize, blame, and target people who don’t do the right things,” Luke says. “As soon as you start doing that, you create a bad culture,” where suddenly people may be discouraged from reporting incidents. Instead, focus on constructive feedback and improvement. Encourage staff to ask questions and report suspicious emails or activities without fear of reprimand – and always thank staff for voicing their concerns or reporting incidents. Use mistakes as an opportunity to improve your company’s security defenses and maintain a blame-free response to encourage continued transparency.
Effectively Communicate Your Cybersecurity Plan
Strengthen your security culture and reduce risk by downloading our free whitepaper, How to Effectively Communicate Your Cybersecurity Plan to Staff and Clients. You’ll get actionable advice from cybersecurity experts on communicating policies in a clear, constructive way to both internal and external stakeholders.