Building A Resilient Cybersecurity Culture

By John Hock, CPA, CISA, CITP, SOC – IT Manager, IT Advisory and Security Group

What do you think of when you hear cybersecurity? Information technology (IT)? The Internet? Hackers? Data breaches? Maybe you just think, “All this internet stuff is scary, glad we have an IT team to protect us.” A common misconception is that IT departments bare all the burden of keeping cybersecurity risks at bay. Yet, today’s reality shows that couldn’t be further from the truth.

Combating cyberattacks requires an organization to band together and embrace better security protocols from top to bottom. Building this type of culture increases an organization’s resilience to cyber threats more than any single IT department.

What Is Cybersecurity?

Before you can build a culture that embraces cybersecurity, you have to understand what it is. According to dictionary terms by Merriam-Webster, cybersecurity is ‘measures taken to protect a computer or computer system (company network) against unauthorized access or attack.’ However, looking at the broader meaning of cybersecurity, it extends well beyond just the technology used to do our jobs and protect our systems, it includes our people, processes and culture.

Shifting the Mindset

Today, the old mindset that cybersecurity falls on the shoulders of the IT department doesn’t translate into the digital era we live and operate in. Shifting the mindset of the organization to understand threats apply to everyone is an important component in building a resilient cybersecurity organization.

Although having a strong team of IT security experts and continuing to invest in technology is a step in the right direction, even the best technology and team cannot provide absolute security for an organization’s biggest threat – its people. This includes malicious insiders, employees falling victim to social attacks like phishing or pretexting, and just plain old human error. According to Verizon’s 2018 Data Breach Investigations Report, one in five breaches were a result of human error.

How can your organization create a security-centric culture? Outlined below are five ways your organization can start shifting its culture.

1.  Lead by Example – Here comes the buzzword – ‘tone at the top.’ An organization needs key decision makers and influencers to be on-board with cybersecurity. Creating and fostering a mindset for a cyber-aware culture can only be done by leadership pushing the efforts. This includes educating employees on their roles and responsibilities as they relate to cybersecurity, understanding and standing behind security investments, and encouraging the organization to include cybersecurity within the enterprise risk framework. Not to say leaders must obtain a deep and thorough understanding of all that is cyber, but demonstrating common security practices within their day-to-day activities and inspiring others to be diligent when it comes to these cyber risks is the first step to building the right cybersecurity culture.

2.  Deploy On-Going Training – We have all heard the saying ‘knowledge is power’ and this statement may never be truer in today’s interconnected world. The best way to provide employees with the tools to assist in the organization’s cyber defense is to educate them. There is not a one size fits all solution to training, as each organization’s approach will be different. Training may include online learning platforms, social engineering campaigns, in-person classes, frequent communication from leadership, or even simple posters in common areas. Employees should understand how to identify unusual activity, such as suspicious emails or system functions, and actions to take immediately to help resolve any concerns before they exponentially grow.

Setting the expectation and the organization’s stance on cybersecurity from day one for employees is important. Consider including the training as part of your onboarding process. Yet, to be most effective, repetition is required. For example, did you know October is National Cybersecurity Month? This is great time every year to reinforce cyber awareness to the organization.

3.  Evaluate Performance – Incentives have long been used to impact behavior and business directions. Financial and operational performance metrics are commonly used to shift company focus, say from sales to customer services, and the time has come to add security metrics to our performance management process. Performance goals for security might include timely completion of security training, positive trends to security or policy violations, and well-trending social engineering exercise results.

4.  Set the Expectations – Having formal documentation, such as technology policies and procedures, that have been approved or supported by the leadership team allows employees to go back and reference what is expected of them anytime a potentially suspicious situation arises. Common polices include establishing minimum requirements for system passwords, and how to create a secure and easy to remember passphrase, the required use of multi-factor authentication, formal requirements for handling public, sensitive and confidential data; and outlining consequences for non-compliance.

5.  Assess Progress – Cybersecurity programs can’t remain static to be effective. Assess your organization and its employees’ progress. Many organizations rely on an independent third-party vendor, such as Doeren Mayhew, to perform various cybersecurity reviews to help uncover the true effectiveness of the program. These can range from the basics of cyber posture checks to determine if proper controls are in place, to performing social engineering campaigns to surface employee weaknesses, to identifying network or perimeter risks through a vulnerability assessment. Assessing your organization’s progress annually can provide good benchmarking metrics to see where you stand against your cybersecurity goals and gain knowledge to share with employees on the impact of their role.

Creating a culture of security requires everyone to understand the role they play in it. Implementing these basics to help with that can make that mindset shift much easier to build a resilient cybersecurity culture.

For assistance in evaluating your cybersecurity program or building its framework, contact Doeren Mayhew’s cybersecurity advisors. We have a suite of CYBERCLAW™ solutions that can be tailored to fit your organization’s needs and budget.