Each of us can recall at least one major cyber breach within the last few months. If you dig deep enough during the recovery phase, you’ll find that the floodgate to the unseemly cyber underworld more often than not was opened by a single individual. In most cases inadvertently. It goes without saying that creating a strong cybersecurity culture is imperative for any digital enterprise.
It takes only one unsuspecting person to launch a thousand ships, so to speak, and the average cost of a single data breach globally is $3.86 million. Not to mention a company’s reputation and customer confidence. Data breaches are just one business risk. In critical environments, worker and public safety is at risk as well. As IoT endpoints proliferate across the industrial ecosystem, the means of attack go beyond bad emails and malware. Today, every employee has a role to play in creating a sound cybersecurity culture that leads to digital trust.
Building a cybersecurity culture
How can you reboot your company’s mindset to ensure cybersecurity thinking becomes second nature instead of a costly afterthought? Employee training is essential.
“At Schneider, we’ve had great success in training our people and making cybersecurity part of our daily conversations”
For example. As attackers get better and better at disguising attacks (e.g., phishing) and targeting individuals within companies (spear-phishing), ongoing training is a must. Only with education will employees be able to recognize these attacks and, more important, prevent them without really even having to think twice about doing so.
For any employee to be a good cyber citizen, they need a solid understanding of what digital trust means to the company and to our shared global digital economy. Depending on their role, some employees may need a deeper understanding than others. But all should be thinking, “Is cybersecurity and data privacy top-of-mind as I get my job done today?”
Also look for ways to make security easier for your employees. Strong passwords are table stakes; not having them is like leaving your front door open. But let’s be honest – it’s difficult for employees to remember multiple complex passwords for all their applications. A good solution is single sign-on, where one username and password get them into all their apps. (As an added bonus, it will also boost productivity, since employees won’t be constantly shut out of applications and asking for password resets).
Multi-factor authentication tools are also taking great steps forward, with the ability to use a phone as a token rather than a separate fob that may be lost or forgotten. Biometric-based authentication systems likewise make the process easier for employees; nobody forgets to bring their finger to work.
And across R&D, your global supply chain, and your lines of business, it helps to show simulated breaches via penetration tests. As soon as you can reveal to someone that you’ve accessed their code, the conversation changes drastically. The intent here is not to have a “Gotcha!” mentality but, instead, to work with the business teams as partners, fostering a “we” culture instead of an “us vs. them” one.
Creating a “we” culture for cybersecurity
Creating a cultural shift doesn’t happen overnight. It requires a consistent drumbeat, not a one-time effort. Encourage employees to talk about security. As you bring groups together for regular meetings, spend five minutes talking about cybersecurity. Ask if anyone has any questions or concerns or has experienced anything suspicious. It doesn’t have to be anything formal, but it’s important to get conversations started and make it clear that it’s OK – even encouraged – to share concerns, issues and problems.
Examples of potential issues are all around us, and those employees on the front lines are in the best position to identify them. Many industrial control systems, for example, are old – built before good password hygiene and secure control room operation were common. You can learn more about protecting legacy systems in our “Building a Cybersecurity Strategy” e-guide. Encourage employees to raise a red flag if they see a potential security flaw in such systems.
Establishing this “we” culture will help you to connect the dots across the company (as our CISO Christophe Blassiau discusses in his latest blog), find those weak links, and maintain always-on vigilance. If your organization can demonstrate that cybersecurity is ingrained in your culture, and that every employee is on-board, you can earn the valuable digital trust that’s essential for advancing your digital transformation and success in the digital economy.