Leaders talk about building a culture of cybersecurity. They speak about how important it is to them and their organization. But what does it really mean? And what does it mean for the individual employee? A 2018 ISACA and CMMI Institute study shows that only 5 percent of organizations believe that no gap exists between their current and desired cybersecurity culture.
A culture of cybersecurity is when there is top-down support for cybersecurity, it is ingrained in and fully integrated all aspects of the mission, and all employees have a mindset of security in everything they do. It isn’t just awareness training, policies or procedures, or some catchy posters at the door reminding us to not to tailgate. It is fully understanding why it is important to protect and secure the data of the organization, how that is part of our daily routine and what the implications are of a misstep or breach.
Building a culture mindful of cybersecurity is exceptionally important as threats become more sophisticated. Most attacks begin by focusing on the individual users of the target entity, not the underlying technology. Complex spear phishing campaigns are used to harvest credentials or other sensitive information which can be used to steal data and get further access into an organization. It is important for each of us to think twice about we do. We must also understand the impact of a breach and ask ourselves questions such as:
- Are my account and data secured properly?
- What information would be leaked if my account(s) were to be compromised?
- Should I send this file to an external e-mail?
- What can I do better to make my data and accounts more secure?
Unfortunately, many organizations struggle with this culture shift. The fundamental underlying building blocks to a culture of cybersecurity are difficult to get in place. Leaders may have a hard time determining the appropriate risk tolerance. Understanding data, threats and what level of risk you are willing to accept is a core challenge to building a cybersecurity policy, program and culture around it. Another challenge is getting proper investment and budget allocated to make the transformation.
Despite the obstacles, organizations can really improve when it comes to shifting their culture to be more mindful of cybersecurity. Some items organizations should consider are:
- Mandatory security awareness training varies greatly in quality and delivery from agency to agency and is delivered in a silo compared to training on other technology. All training, regardless of if it is for an HR application, an invoicing system, a new database, etc, must have training modules that focus on why it is important to protect the data in those systems and what each person can do to reduce risk. Cybersecurity training should not be an annual compliance activity, but part of all training we take.
- All projects should have cybersecurity design reviews up front along with a requirements definition. Cybersecurity should be built into the life cycle of each application, technology component and workflow.
- Leverage technology restrictions and controls to compensate for employee tendencies that make them vulnerable. The personal habits and routines employees have at home often spill into the workplace. Setting up technology controls to prevent usage of some social media, personal e-mails or ability to access unknown websites reduces phishing risks.
- Review risk tolerance regularly and ensure that policies, directives, training and messaging to employees all reflect the same consistent approach to security.
Cybersecurity is garnering a lot of attention and will continue to as threats evolve and the severity of data breaches continue to grow. People and culture play a huge part in a secure organization. Organizations have to prioritize efforts to strengthen the weakest link – people. And that is done through greater awareness and the organizational culture.
For more reading on cybersecurity culture considerations, ISACA has some further key considerations in this report.
Jason Yakencheck is part of the GovLoop Featured Contributor program, where we feature articles by government voices from all across the country (and world!). You can follow him on Twitter. To see more Featured Contributor posts, click here.
Organizational culture of any kind can certainly be hard to change, but you’ve done a great job identifying concrete steps that can be taken to make cybersecurity an everyday priority!