Practical IT: How to create a culture of cybersecurity at work

Hands. Image courtesy of Shutterstock.

A “security culture” is one of those intangible things that can deliver an immeasurable benefit to your business.

No amount of policies or technical controls will prevent a security breach if you haven’t got your staff on-side. Policies can be ignored and no technical control is perfect.

Worse still, ratcheting up your controls without winning over hearts and minds will simply create shadow IT, where employees circumvent provided IT by using services such as personal email and cloud file-sharing to conduct corporate business. That leaves you with the same risks, but they’re harder to quantify and even harder to address.

So how can you get those inside your business interested, involved and working with you, not against you? Here are a few tips…

1. Make it real

While the latest advanced nation-state attack makes for great headlines, most businesses are far more likely to get targeted by a criminal organisation. There are some terrifying stats out there about how much a data breach costs a business – concrete examples like these can really help get your executive team on board.

But when appealing to regular employees, it pays to highlight the risks with respect to their role. For instance, your finance department will probably be far more interested in a story about CEO fraud than one about IT sysadmins being targeted.

This approach does take some time as you’ll need to tailor your pitch for each department but it pays dividends in the long run as the message is no longer just from “some guy in IT”.

Better still, spend some face time getting your CFO engaged and ask him to spread the word himself via team meetings, etc.

2. Keep topping it up

Although the constant stream of news about companies being breached can be a pretty depressing read, it can help you. It’s only a matter of time before another relevant piece appears.

Take every opportunity you can to keep the conversation going with the key people by passing on interesting and relevant stories as you see them. If you’re struggling to keep up with the volume of news, set up some specific keyword alerts relating to your industry or area.

Podcasts are another great way to keep up with latest events. My personal favourite is – not forgetting Sophos’s own Chet Chat, of course!.

3. Learn to be a marketeer (or find one!)

This isn’t an area that technical security people tend to be good at. Awareness materials that appeal to you are probably not the same as ones that will resonate with less technical staff.

If you’ve got an internal marketing department, they may be able to help you develop some memorable and professional materials (posters, stickers, stress balls, etc). However, you’ll need to keep this going indefinitely so to ensure continued focus on fresh ideas you may wish to get some outside help.

There are a few companies that specialise in running infosec awareness programs which are likely worth the expenditure.

4. Measure

The old cliché of “what gets measured gets managed” is as true as ever. If your awareness campaign addresses the phishing threat (it certainly should) then run some controlled assessments to assess your company’s susceptibility.

Then keep running them regularly to see if you get an improvement. Not only does this allow you to assess effectiveness of your awareness materials, the act of testing and informing people who have failed will help cement the message.

Better yet, if you can gain support for a small ‘punishment’ for failing you’ll likely see a far quicker improvement. This could be mandatory training, or even a naming and shaming policy. Again, if you’re not able to do this all in-house there are external companies that can help with training.

The critical piece with any employee assessment activity is to make sure you’ve first provided the appropriate education and awareness – how can you expect people to spot phishing attacks if you’ve never told them how? It’s easy to forget that not everybody takes an interest in cybersecurity.

5. Get them young

…Or at least early in their employment! A solid new-starters process which establishes security as a priority from the very start will pay dividends a few years down the line.

Remember, new starters are probably going to be overwhelmed on their first day so it’s not the time to go into detail. Plant the seed on day one and nurture it in the initial weeks.

Use every touch-point you can. Do you have a new starter pack? Why not put in a security page? What about when they receive their IT equipment – can you get the service desk to remind them about security? How about a shortcut to training materials on their desktop or a click-through reminder on their first login?

Again, it’s always good to measure, so consider an on-boarding quiz, to be taken within 30 days of joining.

6. The broken windows approach

First introduced in a 1982 article by social scientists James Q. Wilson and George L. Kelling, this theory suggests that paying attention to small, petty crimes helps to create an atmosphere of order and lawfulness, and helps to prevent bigger, more serious crimes from happening.

The security corollary is to pick people up on small policy infringements. If you see an unlocked workstation, don’t just walk past it. If you overhear someone sharing a password, don’t just ignore it.

Your ability to do this alone will always be limited so you need allies. IT is probably your first port-of-call. Members of the service desk particularly are your eyes and ears: encourage them as best you can to remind users about simple policy compliance.

Security advocates in other departments can be really helpful too. The guy in accounts who reports every single spam email to you personally might be a bit annoying but don’t forget that he’s your ally and will very likely be willing to help.

Incentive programmes can help here too – consider giving sweets or low-level prize draws for those who report a problem. However, while reports are useful, for the little things it’s worth distributing the work. So ask others to help remind infringers of the correct way to do things to prevent you spending all day reprimanding people for not displaying their ID badge.

Cybersecurity Awareness Month

October is National Cybersecurity Awareness Month in the US, but we’re celebrating it across the globe.

It’s the fifth anniversary of the ‘Stop. Think. Connect.‘ campaign, and we think there’s been some good improvements in cybersecurity within that five years. So take some time to read our 5 good-news stories.

It’s not all doom and gloom in the world of cybersecurity, but we all need to do our bit to secure our businesses, our staff and ourselves.

Image of hands courtesy of Shutterstock.