How To Create A Culture of Cybersecurity In Your Organisation?
Date: 6 August 2022
A few decades ago, an organisation’s most valuable asset was either the real estate or the capital it owned. But today, data is the new gold. Likewise, the most valuable asset of modern companies is information - confidential information of your customers, sensitive business data, research work, pre-launch information etc.
Protecting this data and its sanctity is of utmost importance today. That is why it is imperative to build a healthy culture of cyber security in your organisation. Employees must be sensitised about the importance of good cybersecurity practices and their individual roles and responsibilities in keeping themselves and the business safe.
Hackers are constantly on the lookout for unsuspecting victims. Once in a while, someone will connect their corporate phone to a public Wi-Fi network, and a hacker will get a jackpot. Other times, a developer will fall for a lucrative phishing scam that promises them insane bonuses if they transition into another role. A simple mistake like this cost the crypto company Sky Mavis half a billion dollars.
In this digital age, the weakest links in cybersecurity systems are those using them. Without a proper security culture, you can’t move a step forward. So what should you do and how should you go about building this good cybersecurity culture for your company? Here’s a quick look at some easy tips.
1. Create a Cyber Incident Response Plan
You can’t do anything in business without a plan. In the case of cybersecurity, you’ll get hacked and indebted because you will have to pay for the damages that your customers suffered.
The first step in creating a cybersecurity culture is to define a few basic metrics. It doesn’t matter if you have a company with 5 or 500 people as employees. As long as everyone’s updated on the metrics, they can get measured. What gets measured can be improved. Treat your current behaviour as a baseline, and try to improve it each week.
Create a Cyber Incident Response Plan and ensure that every important cybersecurity stakeholder in the company knows about it. This plan will detail the steps they have to take in case of a cyber incident. Having a plan can greatly reduce the damage a cybersecurity event can have on your business and can mitigate the losses arising from one.
You must also be prepared for a ransomware attack - a more complex and expensive cyber-attack. Use resources like this free Ransomware Prevention Checklist to be prepared in advance and also make sure that your IT & Security team have printouts of this Ransomware Response Workflow Guide. Ransomware Response Guides can also go a long way in helping staff respond to ransomware attacks in an effective way and control the heavy financial, operational and reputational costs they come with.
2. Involve the entire company
Employees usually push back whenever the status quo is trying to be challenged. Most people don’t like change, and they want to do their work like they always have. Cybersecurity, on the other hand, is a field that’s constantly changing. This is why you must be clear in your motivations, give them the resources they need to learn, and implement a few bonuses. Investing in high-quality cybersecurity training with a trainer who can make the complex and often dry subject of cyber interesting should be on the absolute top of your to-do list.
Educate your staff on how to distinguish real from phishing emails. Help them understand who your organisational threat actors could be and how to steer clear of them. The management team and the IT team must identify what the business’s crown jewels or the most valuable assets are and they must invest extra attention towards protecting these.
Running a cyber tabletop exercise that helps the executive see what a cyber-attack could do to their business and allows them to understand their role in managing a cyber crisis can be a very valuable tool in building a healthy security culture.
Seeing that the average price of a data breach is close to 9 million dollars, it’s worth investing in such initiatives to secure your IT infrastructure and equip your staff to handle cyber-attacks.
3. Make learning fun and enjoyable
Company training sessions have a reputation of being absolutely boring. Some expert comes, reads from a presentation, shows a couple of Venn diagrams, or livestreams how to use the newest edition of a software package. That’s not the best approach if you’re serious about security.
It’s important to visually show that every single one of your employees could be personally affected if a breach were to happen. For example, if no one understands why they need to use a VPN before they start browsing, you can invite an ethical hacker to launch a man-in-the-middle attack right in front of their eyes.
You can ask for a volunteer or be one yourself. Install a new router and remove the password and ask for somebody to connect without using a VPN. The hacker could live stream how they enter the volunteer’s phone and check their corporate emails, passwords, and messages. Of course, you need to do this with consent from their side.
When your employees see with their own eyes how easy it is to break into their phone, they’ll never browse the internet without a VPN. As a bonus, you can offer to buy a companywide package after the training so that they can use the VPN at home and work. Doing that shows that you’re serious about security.
4. Never stop training
Hackers evolve every day, and so should you. Whenever a new feature comes out, like NordVPN Threat Protection, schedule a meeting and see what it brings to the table. In the case of NordVPN, they block cookies, remove ads, and scan executable files for malware. Plus, you can go in-depth about how a VPN kill switch is a necessary feature everyone needs to enable.
"As an online auction house dealing with vast sums of our clients money, we dedicate a lot of our time to training staff into the importance of cyber security and how to manage such situations," comments Ruban Selvanayagam of Property Solvers Auctions Bristol.
Finally, cybersecurity training shouldn’t be only about features and tech-related topics. It should definitely extend to cyber incident planning and response training too. You could also set up a workshop where your employees try to think of a persuasive phishing email and see if someone falls for it. Thinking creatively and including everyone is the best way to move forward.
As the great Benjamin Franklin said, they will forget if you tell them what to do. If you teach them, they might remember. But if you involve them, that’s when everyone learns. This adage works extremely effectively in the case of cyber. Give it a try!