The concept of cybersecurity and privacy at work has long since left the IT department and is now looming on the minds of all employees from the C-suite to remote workers.
The media and even browsers like Chrome, have done a great job of raising awareness, but those who are not well versed in IT are still left with a less than satisfactory understanding of what it really takes to be cyber-secure.
With this month being National Cyber Security Awareness Month, we felt it was a good opportunity to dish out some tips on how you can best create a culture of cybersecurity at work.
Cybersecurity Culture Starts With the C-Suite or Board of Directors
No good change strategy ever started at the bottom. If you want to create a culture of cybersecurity, then you must first start with the C-suite. CXOs and the board are generally a hard bunch to convince if you aren’t fully prepared, especially when you aren’t able to show how their investment will pay off.
The first step is to start by explaining how it’s less expensive to invest in cybersecurity then it is to clean up after a data breach. According to a Ponemon study in 2015: “average annual losses to companies worldwide (because of a cybercrime) now exceed $7.7 million”.
What’s worse is that the cost of a data breach is not always possible to calculate in figures. Some companies suffer a massive loss in reputation or drop in stock prices.
For example, after TalkTalk was hacked for the third time, it was reported that they saw a stock price drop of 10.7% to 239.7p. At the time of writing this, the stock price is 210p. Of course we can’t know for sure that this is 100% due to their cyber-attack but if we look at a graph of their stock prices over the last year, we can see from October 2015 a drop before some recovery is made. October 2015 is the last data breach they suffered.
Figure 1 - Google Finance Image
For IT to convince CXO’s, they will need to speak their language and finance is at the heart of that. Conversely, technical jargon is probably what you want to steer clear of.
You should also remind your board and CXO’s that without adequate levels of cybersecurity you are leaving your trade secrets open to hackers. This leaves you less open to innovation and less able to outperform your competitors.
CXO’s and the board should then be poised to adopt cybersecurity best practices within their own day-to-day lives. They probably travel a lot for work and make important communications while travelling, but do they know how open they are to communication interception while on the road? Do they re-use passwords? It’s worth asking all these questions and explaining how they are making themselves and their own company vulnerable. You might have them think twice before logging into an open Wi-Fi network and sending sensitive data about the company.
Invest In Cybersecurity Training Company-Wide
Once you have approval and adoption from the board to the CXO’s, you should look at investing in a long-term cybersecurity training program for all employees.
Of course you want to be able to share this information in an easy and manageable way without affecting the productivity of employees. Consider the following methods:
Work with your HR department to start a cybersecurity onboarding program for new employees. If someone starts at the company, before they are even given their IT equipment, they should be given the basic cybersecurity training. Consider the following topics:
- Basics of password management.
- The basics of encryption and digital signing, if you're using those types of solutions.
- Understanding phishing attacks.
- Backing up work.
- Sending personal and important information.
- Account limits, access and authentication.
- Policies and best practices.
Of course someone who is just starting a new job will probably be keen to get to work and so they might not put much onus on this training, especially when it is the first thing they encounter. You should make sure you have supporting documents so they can look through these before getting started. Then you can get them acquainted with their equipment and let them set everything up.
This is a great time to explain that the weakest link in an organization’s cybersecurity is their employees. If you start with the basics then you can build up from there.
Ongoing Cybersecurity Training
New attacks or vulnerabilities hit the market every day, some more popular than others. It should be up to the IT department to send regular bulletins about types of attacks and what employees can expect to look out for.
You could also carry out regular phishing simulation tests and gamify these so that people are always on the lookout for phishing emails, or websites with the hopes that they might receive something for being the first to report it to their IT department.
Cybersecurity Policies and Guides
You should work with your HR and legal department to define a cybersecurity policy for your company. This should be based on all of your company’s weakest vector points. For example, if you have a lot of employees using their own phones and tablets to work, you will need to establish a mobile workforce or BYOD policy. If you have a lot of remote workers, you might want to establish a guideline or best practice for their use of networks at home.
The guidelines and policies will need to be updated regularly based on new threats and new best practice. These updates will also need to be communicated regularly to people in your company.
Communicating Cybersecurity with Employees
The final tip for those who want to create a culture of cybersecurity at work is to make sure you are always communicating about cybersecurity in your company. This could mean:
- Updating employees of new regulation or policy.
- Holding quarterly or bi-annual cybersecurity meetings or training.
- Having a cybersecurity section added to the company newsletter.
- Partnering with cybersecurity initiatives like the National Cyber Security Alliance.
Or (and most preferably) all of the above!
Other types of cybersecurity communication will include things like incident response strategy and communication with employees should you actually have a data breach. What will you tell employees and how will you ask them to respond?
Cybersecurity initiatives like the National Cyber Security Alliance hold events like the National Cyber Security Awareness Month in October where they promote awareness of cybersecurity in business. You can join them with social media posts, emails, events and more. It’s a great way to get your employees to engage since it is such a huge initiative. Other similar initiatives include Security Serious Week in the UK and Cyber Security Month in the EU.
As a global company, we have been taking part in all three (at varying degrees) and as a result have been sharing a cybersecurity tip every day on Twitter with the hashtag #CyberAware. Follow us to and help us spread awareness!