A strong security culture can be built on positive attitudes toward security controls and policies, role participation and accountability. (Credit: Yakobchuk Olena/Adobe Stock)
You get the culture you ignore. For example, an employee walks into the office without their ID badge, and there is no security protocol to challenge this. Soon enough, others may see no value or incentive to wearing a badge, and they too stop wearing it. Minor details that escape our attention can evolve into big issues eventually.
The frequency and sophistication of cyberattacks, especially those driven by human susceptibility through social engineering and phishing schemes, are increasingly on the upswing. Consequently, the rate of incidents resulting from employee activity culminating in a security breach has increased: 68% of data breaches have been linked to human error.
A robust security culture (the shared values, beliefs, attitudes, and social behaviors regarding security) can help organizations position employees as their last line of defense. Investing in people, equipping them with the appropriate tools and knowledge, and developing a positive attitude around cybersecurity can mitigate human risks. Put into context, organizations with a strong security culture often suffer fewer breaches than those with a poor culture.
Security culture without compassion can lower morale
Many organizations believe that a fixed-point strategy, broken down into individual steps, will help them build a strong culture, but they often miss the boat. This is because companies that try to impose controls on their employees will ultimately find no takers. Suppose that employees are not emotionally or logically aligned with the organization's security policies. In that case, they will adhere to policy for a short period but will eventually default to their old habits. This can also influence job satisfaction, morale, and engagement.
How can a security culture be built without hurting morale?
For a robust security culture to thrive, organizations must convey a top-down security mandate as a shared responsibility among all roles. By raising awareness of employee roles in safeguarding company assets, technical controls and protocols can be made more attractive, helping more employees to adopt them, changing their behavior, and ultimately transforming the culture.
Here are a few ways to successfully build a security-conscious culture that can win employee support:
Encourage employees to choose the right behavior: Help employees understand why security measures matter through gamified training, interactive workshops, and storytelling sessions.
Give employees the power of autonomy: Confrontation can lead to resentment. But when employees feel empowered to make choices before taking action, they are more likely to choose the right thing to do.
Collaborate: A cross-functional security committee can improve employee participation when security policies are implemented. Taking into account employee experiences and perspectives will smoothen the acceptance of policies and processes.
Reduce uncertainty: By helping employees understand why they are being asked to undertake specific actions, organizations can increase the adoption of correct security behavior. If employees have all the information that matters to them, they are more likely to participate.
Work on employee perception: Employees feel happy when they perceive they are being helped. Security advice can be turned down if employees feel that management is trying to prove a point about doing what’s right. Organizations need to set expectations on the importance of making smart decisions when confronted with potential security threats.
Be equitable: One of the most powerful motivators for employees is to be treated fairly and not be shamed. The fear of embarrassment can cause an individual to hide a mistake and fail to report potential fraud. For example, suppose an employee accidentally enters their credentials into a malicious website or receives a text message asking for their MFA code, believing it is from HR. In that case, organizations should make it acceptable for them to report the incident without fear of reprisal.
Encourage advocacy: Having individuals across the organization that serve as advocates can help create a powerful support system for others. Other users can approach them for answers to IT or security problems, boosting organizational security.
Share stories: When senior leaders share anecdotes about their security blunders and how the security team addressed them, it dissolves some of the shame in making errors and motivates employees to ask for assistance. It also encourages users to share their own experiences, teaching others from their lessons.
Make security compliance enjoyable: Employees are more likely to embark on journeys they enjoy. Highlight how security policies help employees maintain productivity from a reduction in security incidents. Portray security controls as security enablers that safeguard the organization's intellectual property and employees' personal data.
A strong security culture can be built on positive attitudes toward security controls and policies, role participation and accountability, and the imperative for keeping the organization defended. A culture built on active participation and willingness to adopt security processes will go a long way to keeping the organization resilient to advanced threats.
Erich Kron is Security Awareness Advocate for KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management with over 70,000 customers and more than 60 million users. A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, he was a security manager for the U.S. Army's 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and other certifications.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.