“Culture” has become one of the biggest buzzwords in the business community in recent years. Companies compete ferociously to be seen as “cool” places to work by offering employees an ever-expanding array of perks. Ping pong tables and bean bag chairs have become corporate office cliches. Alternatively, in other organizations, corrosive cultures have wreaked havoc on the workplace. The #MeToo movement has illuminated how toxic work environments can damage, and sometimes even destroy, a company. A strong culture is now seen as critical to business success. As the renowned management consultant Peter Drucker once explained, “culture eats strategy for breakfast.”
There are hundreds of books and thousands of articles that discuss how to build a great company culture. Very little, however, has been written about how to create a positive, and effective, cybersecurity culture in the workplace. But in a world besieged by cyber threats, this topic has become too important for executives to continue to ignore.
The Importance of a Strong Security Culture
The most important part of any company’s culture is its people. When it comes to cybersecurity, your people present a unique challenge. Your employees are your greatest asset, but also your biggest liability. Hiring great people is essential to any successful enterprise. All humans, however, have flaws. Specifically, people are programmed to be inherently trusting. Hackers are skilled at using social engineering tactics to exploit your employees’ trust in order to access systems and data.
Too many organizations overly focus on technology to solve their security problems. But ultimately, tech solutions alone are never sufficient safeguards against cyber threats. The vast majority of cyber incidents are caused by human error or a lack of sound judgment. Therefore, the best way to counteract these issues is by establishing a strong security culture in your workplace.
The Basic Building Blocks of a Successful Cybersecurity Culture
So what does it take to build a successful cybersecurity culture? Here are a few tips to keep in mind.
1. Leadership starts at the top.
As an executive, your workers are not only watching what you say, but also what you do. Issuing a yearly memo with a few token references to cybersecurity is not enough. Employees want to see words backed up by actions. Are all managers following digital protocols? Are real resources being devoted to cybersecurity? Senior executives need to lead by example, setting the tone on cyber policy. If the C-Suite doesn’t prioritize cybersecurity, than you can’t expect anyone in your organization to take cybersecurity seriously.
2. Celebrate cyber success.
When it comes to cyber hygiene, too often employees are reprimanded for doing the wrong thing, but never rewarded for doing the right thing. Nobody enjoys receiving nastygrams in their inbox from HR, chastising them for breaking cyber protocols. Make sure managers are using carrots, and not just sticks, to incentivize cyber best practices. These carrots can’t be some silly certificate, honoring the cyber “employee of the month.” Accolades should be serious, not symbolic. Give bonuses to the employees with the best cyber etiquette. Or celebrate team success – such as a decrease in the organization’s click rate on a spear phishing test – by buying everyone lunch.
3. Adhere to the KISS (Keep It Simple, Stupid) principle.
No one wants to keep track of a long and complicated list of security mandates from management. So focus on the fundamentals: strong passwords, multi-factor authorization, regularly updating operating systems, etc. By embracing security basics, you’ll be more likely to get employee buy-in, while still addressing the core issues that are most likely to lead to a cyber incident.
4. Make cybersecurity fun.
Yes, you read that right. Security awareness training doesn’t have to be a dreaded chore. Too many people associate cybersecurity education with dull powerpoint presentations and draconian digital directives. But it doesn’t have to be this way. Cybersecurity initiatives should be engaging for employees. Have your IT team create humorous skits on cyber topics. Or create a contest where employees write an email for your company’s next phishing campaign. When you unleash your workers’ creativity, the possibilities for compelling training solutions are endless.
5. Learn from the best.
People need role models, and so do organizations. Seek out companies that have strong cybersecurity cultures and emulate what they do well. Take a look at the National Association of State Chief Information Officers (NASCIO) award-winners. Subscribe to cybersecurity trade publications to keep up with the latest best practices. And consider taking a business trip to the offices of industry leaders, to observe the best first hand.
If you would like help strengthening your company’s cybersecurity culture, contact us. Let’s discuss how we can you help you boost your organization’s cyber resilience, today.