Building a Culture of Cybersecurity: Why Awareness and Training Matter
9 June 2024 at 08:51
What is "Security Culture"?
Security culture is the set of values shared by all the employees in an organization, which determine how people are expected to perceive and approach security. It is the ideas, customs and social behaviours of an organization that influence its security. Security culture is the most crucial element in an organization’s security strategy as it is fundamental to its ability to protect information, data and employee and customer privacy. Perception about cybersecurity has a direct impact to the security culture. It could be either positive or negative. It’s deemed to be positive if information security is seen as a business enabler and viewed as a shared responsibility instead of becoming the CISO’s sole responsibility. On other hand it’s perceived negatively if security viewed a hindrance or a showstopper to business or production. A sustainable security culture requires care and feeding. It is not something that develops naturally, it requires nurturing, relevant investments. It is bigger than just ad-hoc events. When a security culture is sustainable, it transforms security from ad-hoc events into a lifecycle that generates security returns forever. Security culture determines what happens with security when people are on their own. Do they make the right choices when faced with whether to click on a link? Do they know the steps that must be performed to ensure that a new product or offering is secure throughout the development life cycle. Security culture should be engaging and delivering value because people are always keen to participate in a security culture that is co-created and enjoyable. Furthermore, for people to invest their time and effort, they need to understand what they will get in return. In other words, it should provide a return on investment, such as improving a business solution, mitigating risks associated with cyber breaches. Culture change can either be driven from the top or be a bottom-up approach, depending on the composition and culture of the organization. A bottom-up approach rollout allows engaged parties to feel they are defining the way forward rather than participating in a large prescriptive corporate program, while support from the top helps to validate the change, regardless of how it is delivered. In particular, a top-down mandate helps to break down barriers between various business functions, information security, information technology, development team, operations, as well as being one of the few ways to reach beyond the technical teams and extend throughout the business. Organizations that have a Strong Cybersecurity culture have the following:- Senior leadership support from Board and Exco that echo the importance of cybersecurity within the organization.
- Defined a security awareness strategy and programme, including the Key Performance Indicators (KPIs).
- Targeted awareness campaigns which segment staff based on risk. Grouping users by risk allows for messages and the frequency of messages to be tailored to the user group.
- A cybersecurity champion programme which allows for a group of users embedded in the organization to drive the security message.
- Usage of various of mediums to accommodate different types of people who learn differently.
- Employees are always encouraged to report cybersecurity incidents and they know where and how and to report incidents.
- Creating an organizational culture where people are encouraged to report mistakes could be the difference between containing a cyber incident or not.
- Measurements to test effectiveness: This is often done with phishing simulations.
- Employees have a clear understanding of what acceptable vs what is not acceptable.
- Information security becomes a shared responsibility instead of CISO’s sole responsibility.
The below image depicts percentage of adopted awareness capabilities
Security architecture principles such as Defence in Depth, the failure of a single component of the security architecture should not compromise the security of the entire system. A defense-in-depth mechanism should be applied to mitigate phishing related risks. This approach applies security in different layers of protection, which implies that if one control fails the next layers of controls will be able to block or stop the phishing attack. The controls involve a combination of people, processes and technologies. User behavior analytics (UBA) should be used to augment the awareness programme by detecting insider threats, targeted attacks, and financial fraud and track users’ activities. Advanced our phishing attack simulations by using GEN AI based simulations should also be conducted to combat advanced phishing attacks.Possible Measurements
There are several measures that can be applied to measure the level of a security conscious culture:- Employees attitudes towards security protocols and issues.
- Behaviour and actions of employees that have direct and indirect security implications.
- Employees understanding, knowledge and awareness of security issues and activities.
- How communication channels promote a sense of belonging and offer support related to security issues and incident reporting.
- Employee knowledge, support and compliance to security policies, standards and procedures.
- Knowledge and adherence to unwritten rules of conduct related to security.
- How employees perceive their responsibilities as a critical success factor in mitigating cyber risks.