By Jason Hoenich on Dec 3, 2018
Your employees are using every device at their disposal to get the job done—and that includes unmanaged personal devices at home and on the go. The modern workplace comes fully equipped with remote workers, part-time employees, and countless devices connected to the organizational hub 24/7/365 from just about anywhere.
The problem, of course, is that traditional approaches are not effective at managing security at these endpoints, which leaves employees and their employers vulnerable to data leakage and hostage-taking by cybercriminals. Creating a security culture in the workplace is the last line of defense for security as businesses grow increasingly dispersed, remote, and mobile.
What Is a Security Culture?
In the past, having the most up-to-date security systems and most diligent IT team was enough. Today, however, it takes a commitment from every single plugged-in employee to ensure organizational security. The goal of crafting a security culture is to change day-to-day behaviors by getting buy-in from everyone—from the C-suite to the mailroom—and it all starts with training in and awareness of best practices.
A modern culture of security gives employees the ability to work where they want, when they want, while staying connected to the corporate network. According to the SolarWinds Federal Cybersecurity Survey 2017, 54 percent of respondents reported that “careless/untrained insiders represent the greatest security threat to their agency.” In another survey, 47 percent of business leaders said that human error, such as losing a device, resulted in a data breach.
With data breaches now costing businesses an average of $3.6 million globally a year, it’s important that everyone on staff be aware of and trained in how to handle potential security threats, including phishing emails, the use of unsecured networks, password sharing, too-simple passwords, downloads of nefarious apps, clicking on unreliable links, and so on. Security affects everyone—not just IT, the CIO, and the CISO—so it’s important to get everyone on board, involved, and embedded in the security culture.
How to Create a Security Culture
Although ramping up restrictions on access and permissions might seem like the best solution to combating security threats, the truth is that this tactic can actually make businesses more vulnerable. Why? Because restrictions drive employees to work around IT (rather than with IT), which creates even greater vulnerabilities. This is why having a security culture is important: It protects your employees, your company, your data, and your bottom line.
Start crafting a security culture by launching a security awareness training program using these seven steps:
- Establish goals and metrics for measuring success.
- Communicate with employees so they know what’s coming.
- Run regular phishing simulations or other security exercises. Examine the data to understand behaviors.
- Narrow down and engage with repeat responders.
- Create an ambassador program to reinforce the goals and mission.
- Use marketing, rewards, and more to change behaviors.
If your goal is to lower the number of repeat responders (people who engage with at least four phishing simulation emails), then once you’ve run your phishing simulations and narrowed down your responders to the single digits, you can create an outreach program and work with those staffers to give them the tools they need to not fall for future scams. Creating an ambassador program and developing a system of rewards are two great ways to help reinforce the phishing-simulation goals and get everyone embedded in the security culture.
Some other things to know about building a security culture include:
- Security threats are always evolving: Security awareness training has to be consistent and ongoing, because cybercriminals are always coming up with new ways to work the system and manipulate users into falling for a scam.
- A little goes a long way: Even the smallest training session explaining third-party credibility and authentication can prevent employees from installing unauthorized applications on their work or home devices and prevent a security issue.
- Reap the rewards of reinforcement: A security culture isn’t built in a vacuum, and security training needs reinforcement. Whether you hang posters or get your ambassadors to have coffee-infused town halls to talk all things security awareness, it’s important to make sure that employees stay active and engaged.
- Knowledge is motivation: It’s important to stress to employees how security plays a part in their day-to-day activities, including how it influences the services and products that your business offers. The more relevant and “real” security threats feel, the more likely employees are to feel like they’re playing a crucial role in helping the security culture thrive.
- Pushback is almost guaranteed: You’ll encounter employees who don’t care about security and continue using bad networks, or people who stick to poor passwords and downloading questionable third-party apps, but it’s important to stay diligent. Make sure your training is engaging and fun and that policies aren’t too difficult to understand or follow. With the employees who push back the hardest, lean on your ambassadors to take the lead—people are more likely to listen to their closest colleagues than IT or the CISO.
Engaging every employee, from the top down, in creating a security culture is the best way to combat the threat of data breaches and cybercriminals. One of the best ways to ensure your security culture thrives is by creating an ambassador program. Download our Ambassador Guide now and launch a security culture to protect your employees and your company from cyber attacks.