Getting a greater return on investment on your security measures
We all have a responsibility for security.
Regardless of role or rank, everyone has their part to play:
Practising good cyber hygiene
Knowing how to spot a phishing attack
Reporting phishing emails and (possible) breaches
Contrary to popular belief, cyber and information security aren’t just matters for IT.
But to ensure that all staff truly take note of security and apply the knowledge gained from any staff awareness training, security should be embedded in your organisation’s culture.
In other words, you should aim to build a ‘security culture’.
In this blog
What is the difference between security culture and security awareness?
Benefits of a strong security culture
What does a good security culture look like?
How do you build a strong security culture?
Test the strength of your security culture
What is a security culture?
Security is about being free from danger or threat, while a culture is the collected ideas, behaviours and customs of a group of people.
You could therefore define a ‘security culture’ as:
The ideas, behaviours and customs of a group of people that protects them from danger or threat.
This can work both positively and negatively.
For example, if most employees leave their unattended computer unlocked, the few not yet in that habit – and newcomers – may quickly follow suit.
On the other hand, if current employees challenge any unfamiliar faces, new joiners will likely observe this and feel more comfortable to do the same.
What is the difference between security culture and security awareness?
Every organisation has a security culture – good or bad – but not every organisation has security awareness.
Security awareness is always a positive. It refers to understanding cyber security risks and best practices, which is usually acquired through training, but can be supplemented through other types of communication.
One example is to mention information security in job descriptions: explicitly stating that the head of development will define and maintain an SDLC (secure development life cycle), for example, and that individual developers must adhere to the SDLC and security coding guidelines.
Widespread security awareness – driven by management – is key to a strong security culture.
Benefits of a strong security culture
To get the best return on investment, you want your security measures to be maximally effective to minimise your risks.
In particular, you’d want to reduce the most common risk: the insider threat.
A strong security culture helps you achieve precisely that:
People will follow policies and procedures
Awareness training will have greater impact
Staff proactively make suggestions for improving security
Better still, getting those benefits doesn’t take much financial investment.
Plus, this type of culture will help you meet legal obligations, like accountability under the GDPR (General Data Protection Regulation). It’ll also make your ISO 27001 ISMS (information security management system) more effective.
Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.
What does a good security culture look like?
Besides seeing widespread good security practices by all staff, at all levels of the organisation, you also want to ensure a healthy culture:
Don’t punish people for causing an accidental breach.
Actively encourage staff to report anything suspicious as quickly as possible.
Praise employees for speaking up (or otherwise acknowledge they’ve done the right thing).
Ideally, you want to get your security culture to the point where anyone who thinks they’ve spotted a risk – something that can negatively affect your security – will say to the information security manager: “I’ve found this – we need to do something about it.”
But getting to that stage requires the board and senior management to visibly take security seriously. Culture is driven from the top – as is long-term success.
How do you build a strong security culture?
A top-down approach is essential: leadership must show they’re taking security seriously for the same mindset to trickle down to staff.
You can also improve your security culture through various activities like:
Conducting regular staff awareness training;
Documenting security responsibilities in job descriptions; and
Creating and enforcing security policies – like an AUP (acceptable use policy), clear desk/screen policies, access control policies, etc. To make sure people are following them, have office managers check:Confidential information is put out of sight overnightAccess-controlled doors aren’t wedged open
Etc.
Test the strength of your security culture
Looking for an effective way to change end-user behaviour?
Our Meet the Hacker: Simulated Phishing Programme assesses your staff’s awareness of phishing threats. We combine:
Interacting training;
Simulated phishing attacks; and
A session with an ethical hacker…
…to significantly improve your organisation’s overall resilience to phishing attacks.
Help your staff understand how to protect your organisation better:
We first published a version of this blog in November 2017.
The post How to Create a Strong Security Culture appeared first on IT Governance UK Blog.
