How to create a security culture

This audio was created using Microsoft Azure Speech Services

With ever increasing media coverage of cybersecurity attacks, the awareness of cybersecurity is expanding. This important subject is something everyone is talking about in manufacturing facilities across the globe.

With an increased level of awareness, creating a security program and building a culture within an organization around security, much like safety, go hand in hand.

The posture of security must be injected into everything within the organization.  Everyone must be involved, from Human Resources (HR) to Finance; Engineering teams, and even some of the unsung players such as Facilities must be involved.  And like any important initiative within an organization, it is critical to have executive support.

Executive leadership and HR should consistently support training programs for employees.   Employee training should happen regularly so the messages of the importance of an ongoing security lifecycle comes through loud and clear – and often.

Even though cybersecurity is a combination of people, processes and technologies, we have to step back and look at some of the more basic things like – what are we doing about physical access? Do our people really know about physical access security? How can we add new levels to guard against social engineering? How do we test to see if our employees are listening?

Consistent message

Yes, we initially talk about education and awareness, but we need a more prescriptive approach that starts with executive sponsorship of the cybersecurity program and filters through with consistent education.  Much like training, written mandatory polices must filter down from executive leadership, to HR, then to upper management, middle management, and so on.  If you stay consistent in delivering the security message, it just becomes embedded into the organization’s culture.

One case in point – when someone leaves a keyboard unlocked, other employees who notice this should remind the person of that “insecure” behavior.  Just like when someone sees an unsafe practice on the plant floor.  Or, when someone swipes in to the building in the morning and two or three people piggyback in with them; someone should stop them and ask for their badges.

Creating a security culture not only comes from training and education, but also everyday practice. In some industries, like critical infrastructure, manufacturing, transportation, telecommunications, finance, hospitals, healthcare, and oil and gas, the security culture is good; not great, but it is getting better.  However, in many small or medium size business operations, it needs a lot of work.

I came across a situation once where someone I know suffered a ransomware attack on his company’s database. In troubleshooting the incident, I realized that recovery was a useless effort because the ransomware impacted the main database as well as their back up databases, operations, finance, payroll, and HR data.  Even further, it also impacted the local police department. They had not created an environment where everyone was thinking about security; one thing led to another, which cascaded into a cybersecurity nightmare for the company.

Creating a stronger Cybersecurity culture starts with people and it takes consistent effort and time.  Here are some elements of a healthy cybersecurity culture:

  1. Executive support – This is actual support, not just talking about it. It means that company leadership are committed to cybersecurity by assigning budgets, creating specific organizational roles, and openly communicating their support and demonstrating their commitment through actions.
  2. Policies and Procedures – Typically involving Human Resources, good companies have documented clear policies and best practices for employees regarding cybersecurity. The “Dos and Don’ts” about everything from physical security to the use of USB keys.
  3. Training – it’s not enough to have a policy manual sitting on a shelf, companies should integrate employee training and awareness programs. These could use videos, classroom training, web-based or other forms.  But a key point is that this training should match the job function and needs to be refreshed at least annually.  And employee participation should be tracked to ensure that the content is reaching the employees.
  4. Testing – This is not product testing – it’s “people testing”, or measuring employee engagement. Companies that are serious about creating a cybersecurity culture will perform internal phishing exercises and other internal tests.  Monitoring employee engagement to see who is “getting” the message is used to track and improve training and engagement.  Awards, penalties, and other recognition can help get people engaged, even in a fun way.
  5. Communication – Cybersecurity should consistently be part of the company conversation.  Through internal newsletters, posters, stories and other recognition, a healthy culture will evolve.

People are the first, and most important line of cybersecurity defense.  Getting everyone on board and understanding their role will not only mitigate risk, it can help new ideas evolve without fear and contribute to company growth and strength.

Tags: , , , , , ,