Cyber awareness can be achieved through education, but a healthy cyber culture needs more than knowledge, more than reinforcing learnings and certainly more than just running one training session to mark Cyber Awareness month, and then forgetting about it. It requires changing a long-standing cultural norm in which employees fear punishment if they make what could be deemed a mistake. Murray says that companies must instead ”foster an openness that allows employees to report potential issues and, crucially, to be unafraid to raise a hand if an incident occurs”. “Cyber awareness must be integral to a company’s culture – it’s what people do when no-one’s watching; that they’re educated and aware enough to be curious, to ask the right questions.”
A process in place
A cyber-aware, cyber-responsible culture means making training resources and information such as the weekly threat updates from the National Cyber Security Centre easily accessible to employees. It means having the necessary process in place that allow staff to report incidents or flag if they suspect they are being targeted, and it also means creating and sharing a response plan that can be activated in the event of an attack –”like a fire drill”, says Woodward. “It doesn't mean you should plan to fail, but you do need some sort of incident response plan should you be breached. You need a chain of command. You need to know how you're going to communicate to staff, to your clients, and to the public.”
The importance of leadership
Just as a healthy company culture stems from its leadership, a cyber-responsible culture “must be driven from the top-down”, says Murray. That leadership should be operational, not only in an emergency, but as a matter of course agrees Woodward. Getting leadership buy-in to cyber responsibility can be challenging , and that depends on the culture far more than on business size or sector. Board level appointment of cyber-focused individuals and increasing digitisation are starting to bear fruit, however. “In the last few years we have seen a change to companies having a Chief Information Security Officer who operates outside of the IT department. So, typically, they should either be on, or report to somebody on, the board because cyber security should be in the risk register for any organisation,” says Woodward. Equally important is that that responsibility is disseminated throughout the organisation, with the CEO or CISO heading the chain of command, supported by cyber advocates at all layers.
“We are all potential targets, across all digital touchpoints, every single day,” says Murray. “That’s why the culture of an organisation is so important in fighting back. We can’t just assume it’s some other person or department’s issue. Cyber-security needs to be an integral part of every company’s communications, decision-making and processes. Investing in creating a more cyber-focused culture can turn your people from cyber-risks to cyber shields.”
How to create a more cyber-secure culture in your business
- Take responsibility – lead from the top and by example.
- Create regular training and testing programmes to ensure your staff are familiar with threats and how to deal with them.
- Be open – ensure staff aren’t scared to speak up and that they have a mechanism to do so.
- Collate and circulate the latest threat reports and how these may play out.
- Build cyber-security into your processes and policies.
- Create a network of cyber advocates or cyber shields across different departments to identify potential areas of weakness and spread information and best practice.
- Have a plan to deal with any cyber-attack and practice it so that everyone is aware of their role and responsibilities.
- Consider hiring a consultant or cyber-security expert to audit your business and offer bespoke workshops.