What is Cybersecurity Culture, and Why is it Important?
Let’s begin by looking at what culture is and why it matters. Culture is embedded in the organization’s framework: its vision, mission, and values, which can also describe its attitudes toward various things. Such as, does it value innovation over tradition? Does it focus on people or processes? Does it embrace change? Or will it fight it every step of the way?
What is a Security Culture?
We define security culture as the ideas, customs, and social behaviors of a group that influences its security. Organizational leaders can use the model to visualize their current security culture and plan the steps required to progress from one level to another.
What is good security culture?
A good security culture is one where people make the right security decisions, are aware of the threat landscape, know what red flags to look for, report all suspicious activity, and understand their role in cybersecurity as the human endpoint.
A (cyber)security culture is not just completing training or reporting phishing emails. It’s the unseen and sometimes unmeasurable situations that occur and the subsequent response. Let’s look at the benefits of having a culture of security versus not having one.
The following situations are from the users’ point of view. These scenarios represent what is going on in their minds when they’re presented with a security-based situation.
Situation 1 – A phishing email (malicious email) arrives in an inbox from a bank with multiple grammatical errors, a suspicious link, multiple font sizes, unformatted, and the sender’s email address is fake.
The human working at an organization WITHOUT a security culture |
The human working at an organization WITH a security culture |
“This email looks very suspicious. I don’t even bank with them. I’ll ignore it and delete it later.” |
“This email looks very suspicious. I’ll report it to the cyber team, as they will want to investigate it further.” |
Technically there is nothing wrong with this response. However, ignoring a suspicious email may result in someone else in the organization engaging with it. |
This response demonstrates a security culture, as reporting a suspicious email allows the cyber team to investigate and remove all instances in the organization’s systems to avoid a potential incident. |
Situation 2 – A USB device was found on the floor in one of your lifts with ‘Payroll 2022’ written on it.
The human working at an organization WITHOUT a security culture |
The human working at an organization WITH a security culture |
“LOL – this is going to be good. I’ll take it back to my desk, plug it in and show the guys.” |
“As much as I want to look at this, I will take it to the cyber team, as it could be a trap.” |
Curiosity will always get the better of us, especially concerning private or confidential information. Plugging in a random USB has the potential to cause a cyber incident. |
Again, curiosity is there. Because this person understands the potential risks of plugging in a random USB, they will make the right decision and hand it to the cyber team to investigate. |
While these situations seem second nature to those who live and breathe information security and cybersecurity, they are not second nature to everyone else. I can promise you that this is exactly what your people think and do daily.
Your organization has a security culture, but is it the one you want?
It’s true. Every organization already has a security culture, whether you like it or not. The challenge is to understand it as it stands today, define what you want it to be, and go about making that happen.
To understand the security culture you have today, you need to ask some questions, make some observations and take the time to document what you discover.
Start by asking: Do your people understand the impact on your organization if a breach were to happen? Are they aware of the cyber threat landscape? Do they lock their devices when they step away from them in all situations? Do they follow existing policies (internet usage, clean desk, reporting incidents, etc.)? How do they respond to phishing and other social engineering? Do they consistently create insecure workarounds (use a personal Dropbox or unsecured personal devices at work, etc.)?
Once you have an idea of where you are, it’s time to consider, discuss and define what your organization’s security culture should be. Ask, does my organization care about security? Which areas of the business are least and most security-minded? Which employees are most risk-averse? How strong or weak is our security culture? In what part of our organization do we need to improve security culture? And, how effective is our security culture program?
Once those questions are answered, it will give you a starting point to implement awareness, education, and training across your organization.
Building a solid and positive security culture, as defined by you, is an effective mechanism to influence your users’ behavior and, thereby, reduce your organization’s risk and increase resilience.
This blog post was originally published by World Economic Forum.
Information used in this article was provided by our partners at KnowBe4.