Broker Check

Creating A Cyberscurity Culture

September 11, 2020

This blog is mostly based on a post by Mark Stone on the Security Intelligence website.

As Jane Austen might say, it is a truth universally acknowledged that cyber security in an organization starts with its employees. The challenge is creating a culture of security awareness, especially when many employees are working from home. Many organizations do not have an awareness program to promote cyber security.

It's been said that the weakest link in cyber security is the worst employee. Those employees must be engaged by interesting and relevant programs promoted by top management.

Sometimes unconventional training methods are best, such as awards for employees who score high in training programs. Mock phishing emails can test employee awareness. (An alternative: mail employees an envelope with no return address but "URGENT - OPEN IMMEDIATELY" on the outside. Inside there's a message at the top "If this were a malicious email, your computer would be infected" followed by a warning not to click on unsolicited emails, especially those with attachments, and additional security tips.)

Employers can improve security by using automatic locking, employment management software and secure password management in their networks to reduce the decisions employees must make.

Cyber security starts at the top. Executives must understand their company's risk tolerance. They can test responses to threats by having one team simulate a cyber attack and another defending against it. While scare tactics won't work on employees, security administrators can use them to warn executives of security risks.

Ten tips for a cybersecurity culture:

  • Use constructive and collaborative criticism.  
  • Test employees often, preferably monthly.
  • Report awareness progress results to management.
  • Have a simple process for reporting suspicious emails.
  • Use interactive training.
  • Don't be too forceful or overbearing.
  • Include managers, key stakeholders and IT teams.
  • Don't use the same phishing test for everyone on the same day.
  • Don't start the program with complicated concepts.
  • Remind everyone that security applies at home, not just the office.