Cyber attacks are so common that they regularly make the national news. There are many reasons why scams and cybercrime have taken off. Still, the manipulation and social engineering of our employees and the software they use is a typical starting point for these attacks.
Organisations worldwide work on building a culture of security to counteract the human factor in cyber attacks. But if your organisation still needs to create this security-first mindset, and threats and vulnerabilities are increasingly placing your company at risk, you must ask, can good cyber security training change a bad cyber security culture?
Signs Of a Bad Cyber Security Culture and Ways to Fix It
A bad cyber security culture has tell-tale warning signs to watch out for. Below are a few of the most obvious, along with some actions that can change a bad cyber security culture using some good cyber security training techniques:
All Talk and No Action
A security culture permeates from the top down and the bottom up. Everyone must be encouraged to be part of a bigger whole, working towards a common goal where security is taken seriously. Everyone from the boardroom to temporary staff should understand what it means to put security first and exactly how to do that.
Nothing will change if your organisation talks about security but does not provide practical ways to address threats. By explaining how to be secure, staff will be able to react correctly if attempted cyber attacks, such as phishing emails or social engineering events, occur.
How to turn talk into action: to turn talk into action, leadership must follow through with practical ways to support security efforts. This will require positive, ongoing security education across the entire organisation, providing staff with the tools to help the company’s security effort.
A Culture of Blame, Not Security
The blame game is a toxic and damaging culture that can quickly occur when cyber attacks occur, especially if they keep happening. Pointing the finger and blaming staff for mishaps, such as opening a potentially malicious email, is easy. However, the more the finger is pointed, the more the general atmosphere around security behaviour will fester.
Furthermore, this blaming behaviour is as damaging as clicking a phishing link as it creates an environment of mistrust and perpetuates poor security behaviour.
Stop the blame game with open communication: scapegoating and blame are the antitheses of a good cyber security culture. Instead, work on building trust, where if an employee makes a mistake, they feel comfortable revealing that mishap. A good culture of security needs good communication. If an employee informs IT about a security misstep, such as an accidental release of sensitive data, the team can more quickly act to mitigate data exposure.
Ignoring What the Metrics Are Telling You
When a security culture goes awry, the problem shows up in the vulnerability metrics of the organisation: the human factor in cyber security is well recognised, with shocking statistics such as 82% of all cyber attacks involving a human element. Human error happens when people are unaware of how their actions can lead to leaked data or put a company at risk. So, if you notice an increase in potential or actual breaches, this may be traceable to employees and other non-employees.
Metrics are your friend: use the metrics provided by Security Awareness Training programs and simulated phishing programs to identify points of concern. Metrics allow you to tailor the training so that it is more effective. In addition, training can be adjusted based on roles to focus attention on specific vulnerable areas.
In One Ear and Out of The Other
An ineffective security culture can lead to inefficient learning about security. Boring, repetitive classroom-type training material can put employees off and damage your chances of building a robust culture of security.
Active learning happens when people are engaged and can connect with the material at an emotional level. For example, if you don’t provide tried and trusted security awareness content. In that case, you might find that the information goes in one ear and out of the other, with employees forgetting vital learning experiences and poor security behaviour remaining unchanged.
Stimulating material works wonders: provide stimulating learning material that chimes with your employees. Use point-of-need training so that employees learn as they train and help to change behaviour from bad to good. Engaging material sticks with employees and builds that security-first mindset needed to cement a security culture.
Training is Disconnected
Cultures of all kinds are built upon trust and communication. A bad security culture can arise if employees don’t discuss concerns or issues with line managers. The problem occurs when those same line managers feel disconnected from the security culture. This can happen when training programs miss out on management or when training material is not tailored to specific departments and roles.
Connect-up roles and departments:
- Build relationships and break down boundaries when developing security training programs by designing campaigns around specific roles.
- Include all employees in training, everyone in an organisation plays their part in the company, and everyone must be part of the security culture.
- Use training material that develops connections between management and employees through collaborative training events such as escape room-style games.
A Lack of Involvement
Cultures blossom when they involve everyone. People are social and prosocial behaviour is part of building solid and cooperative communities. If you don’t include everyone in your Security Awareness Training, factions will form who have poorer security behaviour than those who have been through training. A lack of involvement by some will impact the development of a cohesive security culture and community.
Listen and learn: listening to your staff can help develop a sense of community and trust. Have an open door policy to establish connections, leading to better security responses. Listen and learn, involve employees in Security Awareness Training using initiatives such as the annual cyber security awareness week. Good listening skills are a great engagement strategy. It also helps to develop a community spirit vital to developing a robust and effective security culture.
There is a proverb that no doubt you will have heard, “united we stand, divided we fall.” This saying encapsulates the importance of working together towards a common goal; in doing so, the “whole becomes greater than the sum of the parts.” Security Awareness Training should involve the entire organisation community and build bridges based on shared experiences and concerns. By providing a program of enjoyable, engaging, and informative Security Awareness Training, your company can make that elusive but vital security culture.
