It’s typical to think of the workforce as cybersecurity’s weakest link. That makes sense: According to a recent report, 82% of breaches across all industries involved human factors — stolen credentials, phishing, misuse or simple error. Most attacks target employees as the easiest route to gaining access. Companies, and agencies, often rely on technology to prevent incursions. While you need to keep malware blockers and other technology up to date, tech alone can’t solve the problem. An alternative approach transforms users into “a human firewall.” But it takes more than a slideshow once a year. You need to establish — and maintain — the attitude that everyone is responsible for the safety of your systems and data, and then give them the right training and tools. Create a culture of cybersecurity, and you can turn your weakest link into your best defense.
The Scope of the Problem
In 2021, 2,792 incidents compromised government data, and 537 of them resulted in confirmed disclosure of data.
Although system intrusion, usually by well-organized cybercrime networks or state actors, has become much more frequent in the past two years, mistakes such as falling for a phishing attack, misconfiguring resources, sending data to the wrong recipient and losing devices account for most employee-caused breaches.
As we’ve learned in other spheres, often the way to reduce mistakes is not so much to change the people as to change the system. That’s where culture comes into play.
MIT’s Sloan School of Management describes a cybersecurity culture as one that “tasks every member of an organization with embracing attitudes and beliefs that drive secure behaviors.” CISA’s Cyber Essentials Starter Kit says it’s one where staff “must have — and continuously grow — the skills to practice and maintain readiness against cybersecurity risks.”
A cybersecurity culture builds on basic training that teaches cybersecurity concepts, terminology and best practices for employees. Make internal and external training resources available. Require regular refreshers, and encourage participation in campaigns such as National Cybersecurity Awareness Month. And don’t expect people to do it on their own time.
But that’s just the beginning.
Training Is (Only) a Starting Point
Ongoing awareness starts from the top. To foster a true culture, according to MIT, leaders must commit to changing people’s values, attitudes and beliefs about cybersecurity at every organizational level, and make it clear that cybersecurity is intrinsic to the agency mission. For example, start every meeting with a cybersecurity story.
Keep employees up to date by circulating information about trends in phishing, scams and email hijacking, and include them in regular training. Use real reported events to demonstrate current threats, and make sure everyone knows how to recognize and report them.
Models and Incentives
Have clear guidelines. For a culture to stick, people need to know what’s expected of them. Written guidelines and policies should lay that out clearly. With those in place, you can apply incentives — both positive and negative — as reinforcement.
Use incentives and penalties. Recognition is surprisingly effective as a reward for getting it right and shows everyone that it matters. Other awards as appropriate could include gift cards or even time off. For getting it wrong, a graduated system starting with targeted training and progressing to loss of privileges, or even firing for repeated recklessness, might be necessary. Be sure to recognize cyber awareness in performance reviews.
And finally, make it fun. CISA and the Pacific Northwest National Laboratory are developing downloadable cybersecurity training games that feature simulated threats and responses in the context of typical computer games — quests, knights, ninjas. Winning depends on understanding cyberattacks, defenses and the role each person plays in protecting your resources. And what better way to reinforce your culture of cybersecurity?
This article appears in our guide “Bright Ideas for Making Cyber Stick.” To see more about how agencies are implementing cybersecurity, download the guide.