Building a Cyber Smart Culture
Most cyber professionals realise that one of the key pillars of an effective security posture is for employees to be educated and engaged in the process of keeping the organisation secure. However, many corporate workers are unaware of their role in protecting their businesses against cyber crime, and many believe that security is not part of their responsibility. We have recently conducted a study surveying 331 senior executives from various organisations in 14 countries1 which revealed that a worrying 45% of respondents believe cyber security has nothing to do with them.
The research suggests that this disconnect stems from the traditional approach taken by IT security teams to raise awareness of cyber security issues and drive engagement. 60% said all employees in their company receive the same cyber security training, despite significant differences in roles and security issues they face. And, of the businesses that provide role-based training, 61% currently find it ineffective suggesting that most rely on basic annual security training methods rather than considering how to empower colleagues to take collective ownership – or share the knowledge they need to form the first line of defense.
The need to educate, engage and equip employees is more critical now than ever. A significant percentage of business communication currently occurs outside of the corporate network, because of the move to home-based working. Cyber criminals are taking full advantage of the circumstances to exploit these vulnerabilities. Something has to change.
Creating Cultural Change
The goal of any for cyber security awareness and education initiative should be to build a sense of collective responsibility where everyone understands how their job contributes to the company’s overall security posture, and ultimately how that helps the business achieve its goals. But what can we do differently to drive this if the traditional methods are working?
Listen to the non-experts
Our findings highlighted a misalignment in the views of two categories of employees: technical respondents and non-technical respondents. Non-technical employees, who form the majority in most organizations, do not appear to be telling IT as much as IT would like to believe, and are more worried about blowing the whistle. These are the kinds of discrepancies that organisations can smooth out with better communication, and that means actively listening to feedback. Only by listening to staff will a security team be able to create and implement the correct measures to empower those staff to work securely.
A colleague of mine shared recently that in his old role as a CISO he had an eye-opening conversation with his Finance department. He discovered that his training around the tell-tale signs of a phishing email were irrelevant because that department had to deal with suppliers and communications from across the world and so asking them to ignore any emails that appeared grammatically incorrect would have meant they could not do their job.
To build a more effective culture then, it is clear that cyber professionals must foster clearer modes of communication that allow them to listen to what non-technical employees think about cyber security and what they need, and use that feedback to create relevant measures and controls.
Think about education, not training sessions
Our survey also revealed why employees consider cyber security training to be such a turn-off: Just 26% of non-technical workers find the training engaging, 32% say it is too long, 35% are bored, and the same percentage say it is too technical. This apathy is being exacerbated by the fact that most training is now delivered online and 45% of non-technical workers described online security training as ineffective.
Clearly, there is a need to change the content and delivery of training sessions but our survey suggests that education must be viewed more holistically. Most non-tech respondents (69%) claimed that that training is most effective when it involves games, rewards or quizzes to improve security awareness or behaviors. And two-thirds (66%) believe in the effectiveness of signs, posters and notices (physical and digital) that promote awareness and security best practice. The idea of gamification is an easy way for companies to make training less of a box-ticking exercise, at least for non-technical staff.
Get personal
Our research suggests one way to combine behavior change and knowledge: getting personal. The most common cyber security-related conversations respondents have with colleagues are about personal settings (such as the use of work tools on non-work devices – and vice versa) and working remotely.
This natural interest presents organizations with an opportunity. Innovative and interactive training on issues employees encounter in their personal context is likely to get strong engagement, yet it could convey many of the same behaviour shifts and lessons that are needed in the work context. This is the kind of technique that organizations can use to turn employees from security practitioners into security advocates, a hallmark of a cyber smart culture, while making it more likely that those employees will remember how to act.
Security is everyone’s responsibility
Organisations can build a cyber smart culture by getting creative with the content and delivery of their training, by listening to the “feedback from the floor” and by considering how cyber security impacts their staff. It is vital that businesses apply these lessons because, according to our research, 78% of respondents believe cyber security has moved up the priority list in 2020. This gives organisations an opportunity to tackle the culture challenge as employees are anticipating it.
Building a Cyber Smart Culture must be given the same priority and investment as the process and technological measures an organisation implements to create the secure posture that makes it resilient to modern cyber threats. But it is time to put to rest the idea that CISOs and their teams are the only ones who are responsible for cyber security, and the only ones that should advocate for better practice: everyone in the organisation should play a role.
Notes
The global survey was carried out in September 2020 by Longitude / Financial Times on behalf of Fujitsu.
About Fujitsu
Fujitsu’s advanced security solutions help businesses and public agencies minimise disruption and maintain business continuity by strengthening their security strategy and operations across every level of an organisation. This means intelligence-led solutions supported by an integrated and collaborative approach to cyber security challenges – all delivered to the highest security standards. This enables organisations to adopt a security model that retains the elasticity necessary to operate in the current conditions and offers security without hindering business growth.