8 Steps to a Cyber-Security Culture

Tom Bale, Business Development and Technical Director for Logicalis Channel Islands identifies 8 steps towards developing a cyber-security culture in your organisation.

Cyber-security - everyone's business

Whether you realise or not, your employees are a critical part of your multi-layered defence against phishing attacks, malware, ransomware, and more. But do they actually appreciate the important role they play?

In just about every news story you read today about another phishing attack, malware infection, ransomware attack, or data breach, there’s a part of the story that’s either covered or implied – a user was involved. The user, whether malicious, negligent, or unwitting, invariably clicked on a link, opened an attachment, visited a webpage, or did something else that allowed a cybercriminal access to execute their malicious actions.

Cyber-security - devastation

Attacks can have devastating results. Recently, shipping giant Cosco was brought to its knees by a ransomware attack and earlier this year, local firms lost more than £1m in a series of ‘impersonation attacks’, with fraudsters monitoring email exchanges and learning to mimic the idioms and writing style of staff members to improve the credibility of their forged documents. The attack specifically targeted the Channel Islands.

Employees rarely knowingly succumb to a cyber-attack. While a few may act through malice, most allow an attack to breach defences through negligence and/or ignorance. Negligence encompasses both employee action and inaction, including failing to follow security protocol, opening suspicious email attachments, and losing company devices containing sensitive data. A recently published report found that nearly half of data breaches (47%) reported by senior executives such as CEOs and CTOs are caused by human error or accidental loss.

With this clear and present danger, the question needs to be raised: Why don’t employees care more about cyber-security?  It usually comes down to one, simple reason: your company doesn’t have enough of a security culture. In essence, your staff don’t care, because your organisation hasn’t told them they need to care as part of their job.

Recruit someone into Accounts and what do they think their job is? To do accounts. Security is IT's job, not theirs. But hire someone into Accounts in an organisation that has a security culture, and they now look after the books, but are also constantly watching for cyberattacks, phishing scams, and the like.

Building a cyber-security culture

So, what does it take to create a cyber-security culture? Here are 8 relatively simple steps that people who help define an organisation’s culture can take:

1. Make employees aware. The average employee doesn’t study cyberattack methodologies in their spare time; they need to know that threats exist and they’re likely to be the target.
2. Communicate expectations. Starting with their first day in the job, employees need to understand that their organisation requires a level of employee vigilance when it comes to cyberthreats. Help employees to better understand how they are at risk at home and in the office, and how their actions can make the difference wherever they are working.
3. Train and test. Using Security Awareness Training, which Logicalis provides through our partner KnowBe4, employees need to be made aware and kept up to date. Businesses can even run a ‘live firing’ exercise, with an employee or team becoming the victim of an ‘attack’ orchestrated by the IT team or outsourced support. This could be in the form of a phishing email sent to all users. Afterwards, staff should come together to review what happened and understand the lessons learned. Cybersecurity training should continue throughout the year, at all levels of the organisation, specific to each employee’s job.
4. Create a formal plan. IT teams should develop a formal, documented plan for cybersecurity training that is reviewed and updated often with the latest information on attack vectors and other risks.
5. Stress the importance of security at work and at home. Senior IT executives should help employees understand the importance of cyber hygiene, not just in the workplace but also at home. This is increasingly relevant as more of our appliances become interconnected and controlled by our handheld devices.
6. Appoint cyber-security culture ‘advocates’. IT decision-makers might consider appointing a cybersecurity culture advocate in every department, who can receive extra training and help the CTO or CIO keep employees trained and motivated. Why limit your IT resources to the IT team?
7. Get buy-in from the top. If you’re a CTO or CIO, you need to make the rest of the executive team or committee aware of the ramifications of a potential breach and ask for their input into the cyber-security plan.
8. Reward employees. Recognise and reward users who identify malicious emails and share their stories about how they spotted it and what they did. Equally, empathise with users who make mistakes – but make sure they know what to do in future.

Continuous training is essential part of your defences, but it needs to be relevant and current to ensure you build a solid cyber-security culture. For our own part, with Knowbe4 which has recently become the only simulated phishing and awareness training platform that is SOC2 Type 2 certified, Logicalis is confident that we’ve got the right partner.