29 January 2021

Cybercrime: Creating a culture of responsibility

Making your business cyber-secure takes more than downloading some anti-virus software. The key to cyber security is having a ‘cyber-responsible’ company culture, not only to prevent a cyber-attack on your business but also to minimise the effects of an attack if it does happen.

Here we explain why cyber-responsibility is so important and outline the steps you can take to create a culture that keeps your company safe from cyber-harm.

Culture beats software

Cyber security is not simply a technical solution. Nor does responsibility for it rest solely with the IT department. According to renowned cyber expert Professor Alan Woodward of the University of Surrey, there are three parts to cyber security: people, processes and technology. So, you’ve got secure software installed on every office PC and every remote device – that’s one part addressed, but how about the other two?

People power

Over 90% of the time the problem is the human in the loop.

Professor Alan Woodward, Cyber Expert, University of Surrey

Your employees are your strongest line of defence against cybercrime. Why? Because cyber criminals know that however solid a company’s technical fortifications, it is people that offer a potential gap in its defence. Just like the Greeks with their Trojan horse, they have learnt it is far easier to play on human emotion than break through firewalls. No anti-virus software will prevent an employee clicking on a link on an email from a ‘trusted’ sender and inadvertently opening the gates to the company system, and the confidential information within. “Over 90% of the time the problem is the human in the loop,” says Woodward. “They’ll either be ‘socially engineered’ or they've given something away that allowed people to break into the system.”

Engineering and education

Liz Murray, Global Awareness, Communications and Training Specialist at HSBC supports the business on creating a healthy cybersecurity culture. She says that much of her work this year has focused on social engineering. “Cyber criminals are clever. We need people to understand that they push their emotional buttons. That the email that tricks you into clicking on it is playing on an emotion such as happiness or fear. People need to know what to look for – to understand the risks and the threats and how they manifest themselves. They need to be aware of the emotions involved.”

Changing the culture

Companies must foster an openness that allows employees to report potential issues and, crucially, to be unafraid to raise a hand if an incident occurs.

Liz Murray, Global Awareness, Communications and Training Specialist, HSBC

Cyber awareness can be achieved through education, but a healthy cyber culture needs more than knowledge, more than reinforcing learnings and certainly more than just running one training session to mark Cyber Awareness month, and then forgetting about it. It requires changing a long-standing cultural norm in which employees fear punishment if they make what could be deemed a mistake. Murray says that companies must instead ”foster an openness that allows employees to report potential issues and, crucially, to be unafraid to raise a hand if an incident occurs”. “Cyber awareness must be integral to a company’s culture – it’s what people do when no-one’s watching; that they’re educated and aware enough to be curious, to ask the right questions.”

A process in place

A cyber-aware, cyber-responsible culture means making training resources and information such as the weekly threat updates from the National Cyber Security Centre easily accessible to employees. It means having the necessary process in place that allow staff to report incidents or flag if they suspect they are being targeted, and it also means creating and sharing a response plan that can be activated in the event of an attack –”like a fire drill”, says Woodward. “It doesn't mean you should plan to fail, but you do need some sort of incident response plan should you be breached. You need a chain of command. You need to know how you're going to communicate to staff, to your clients, and to the public.”

The importance of leadership

Just as a healthy company culture stems from its leadership, a cyber-responsible culture “must be driven from the top-down”, says Murray. That leadership should be operational, not only in an emergency, but as a matter of course agrees Woodward. Getting leadership buy-in to cyber responsibility can be challenging , and that depends on the culture far more than on business size or sector. Board level appointment of cyber-focused individuals and increasing digitisation are starting to bear fruit, however. “In the last few years we have seen a change to companies having a Chief Information Security Officer who operates outside of the IT department. So, typically, they should either be on, or report to somebody on, the board because cyber security should be in the risk register for any organisation,” says Woodward. Equally important is that that responsibility is disseminated throughout the organisation, with the CEO or CISO heading the chain of command, supported by cyber advocates at all layers.

“We are all potential targets, across all digital touchpoints, every single day,” says Murray. “That’s why the culture of an organisation is so important in fighting back. We can’t just assume it’s some other person or department’s issue. Cyber-security needs to be an integral part of every company’s communications, decision-making and processes. Investing in creating a more cyber-focused culture can turn your people from cyber-risks to cyber shields.”

How to create a more cyber-secure culture in your business

  1. Take responsibility – lead from the top and by example.
  2. Create regular training and testing programmes to ensure your staff are familiar with threats and how to deal with them.
  3. Be open – ensure staff aren’t scared to speak up and that they have a mechanism to do so.
  4. Collate and circulate the latest threat reports and how these may play out.
  5. Build cyber-security into your processes and policies.
  6. Create a network of cyber advocates or cyber shields across different departments to identify potential areas of weakness and spread information and best practice.
  7. Have a plan to deal with any cyber-attack and practice it so that everyone is aware of their role and responsibilities.
  8. Consider hiring a consultant or cyber-security expert to audit your business and offer bespoke workshops.

Related Articles

Tomorrow Ready

Access tools, resources and insights to help get your business fit for the future.

Articles also tagged with

The financial cost of cybercrime

Cybercrime can have a huge impact on business finances, and they aren’t always the most obvious. We look at what those financial implications may be and how you can protect your business.

How to prepare, respond and recover from a cyber-attack

32% of UK businesses reported a cyber-attack in 2019, with an average cost of £4,180. Watch our video to understand how you can best protect your business and the steps can you take to respond and recover, if you do fall victim to cybercrime.

Improving sustainable practices from plant to package

There are a variety of different routes you can take in making your business more sustainable and improving the impact your company has on workers, society and the environment. Pai Skincare is one example of a company that’s thoroughly scrutinising its entire business model in its drive towards sustainability.

You are leaving the HSBC Commercial Banking website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.

You are leaving the HSBC Commercial Banking website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.