Everyone doing business today shares an unfortunate truth: no matter how strong your cybersecurity program, your employees are your biggest potential source of failure.
It’s not that you’ve hired bad people, but there simply isn’t enough understanding around the issues that are important to keep the company safe. This leads to increased vulnerability to social engineering and phishing attacks at a minimum, which can cause the potential for a greater incursion.
When it comes to cybersecurity, though, businesses are faced with a classic conundrum: How much money and resources should be spent on something that hasn’t – and may never have – happened? It’s easy to blame your employees for being susceptible to spear phishing attempts, but if they weren’t given proper training to spot them, then the fault lies elsewhere.
And that’s just the tip of the iceberg. According to a recent ISACA/CMMI survey on cybersecurity culture, more than 70 percent of companies have specific policies in place for password management, automated device updates and device security, as well as employee training and proper communication workflows in place. However, only 40 percent of respondents say that their organizations’ efforts to create a culture of cybersecurity with substantial employee buy-in have been more than moderately successful.
Interestingly, while 66 percent of respondents said their organization experienced a reduction in cyber incidents, several of the most common benefits were customer-facing: increased customer trust, better brand reputation, increased profitability and strong customer engagement. It appears that while employees may not care about cybersecurity, customers certainly do.
At my former company, Evernote, we suffered a security breach that affected 50 million users. The breach was contained quickly due to the training and procedures we had in place. More importantly, the damage to the brand was minimal due to the communication we had with the customers throughout the investigation. Interestingly, what we learned was that our customers were more annoyed with us at the heightened security measures we put into their accounts – now by default.
The most common support request at that time was for us to allow people to use their old passwords again – because people didn’t want to have to come up with a new one for each site they log into. (Rather than grant that request, we created training on the benefits of unique passwords.)
How, then, can you ensure you have a cyber culture that sticks? Here are three key components:
1. Find a “driving why”
There’s no surer way to demotivate someone to do something than to be told corporate wants them to do it. Likewise, employees are not usually swayed by talk of how much money the company will potentially lose, especially if it means they have to spend an extra 20 minutes every day on a new security process.
Instead, find a way to motivate employees to complete the process; for example, providing subsidized telecommunications plans for employees who install auto-provisioning software on their personal mobile phones rather than using a guest internet (or none.)
2. Train, then train some more
The cybersecurity threat landscape is changing rapidly. Every month there are new issues to tackle that didn’t even exist before.
Whether your company is established or just starting out, frequent communication and hands-on training is crucial to maintaining a safe and secure environment.
3. Lead from the top down
No matter how much training you provide, and what incentives you provide your team, if they don’t see leadership following the process, then everything will fall apart. In order to have a strong culture, you need strong leadership to model it.
With those points in mind, the cybersecurity culture of your organization can only grow stronger.
Editor's note: Heather Wilde will participate in a panel discussion on cybersecurity culture this week at ISACA's CSX North America conference.