How to build a culture of security in your business
Protect against 2017’s biggest cyber-threats with an organization-wide security culture
Growing numbers of nation-state cyber-attacks that target a country’s infrastructure, institutions and governance. A predicted increase in residential and industrial Internet-of-Things (IoT) hacks. Ransomware attacks with an impact reaching 200,000 users in more than 150 countries – and growing.
Though we’re little more than halfway into 2017, it’s clear that the year is poised to be one of the riskiest yet in terms of cyber-threats. But while many organizations and employees would prefer to relegate these attacks to the domain of IT and security workers, the reality is that protection against computer hacks is everyone’s responsibility.
Building a culture of security is, effectively, taking a proactive approach, rather than a reactive one. It’s far better – understandably – to have employees embrace necessary safety and security protocols than it is to be stuck cleaning up messes created by improper, unsafe behaviors.
To better understand how to get to this point, let’s explore the concept of a security culture, as well as the changes that are needed to get there.
What is a security culture?
Chris Romeo, CEO of Security Journey, shares his definition in an article for Tech Beacon:
“Security culture is what happens with security when people are left to their own devices. Do they make the right choices when faced with whether to click on a link? Do they know the steps that must be performed to ensure that a new product or offering is secure prior to ship?”
A security culture is one in which every employee takes responsibility for the protection of their organization; one where workers are empowered with both the knowledge of how to guard against safety issues and the organizational support needed to execute these behaviors confidently.
What do you need to build a security culture?
The benefits of a properly-functioning security culture are clear. But how do you arrive at that goal – especially if your current company culture could be considered anything but secure? What systems and processes must be put in place to get all team members, at all levels, on board?
In his book, Building a Security Culture, author Kai Roer argues that security cultures are built from three distinct components: people, policies and technology.
“These three elements give us perspectives to the world. The more we understand their formation and their continued interaction, the easier it is to understand how we can use them to build and maintain security culture. Each of these elements directly impacts the other two. No matter where the change happens, the other two elements are changed too.”
Let’s break down each of these three elements into more practical, actionable tips for building your own culture of security.
To be clear, employees are rarely malicious when it comes to security. So, while protecting your organization against coordinated attacks is important, it’s just as critical that the culture you’re building helps Sally in Accounting keep company security at the forefront of her mind when she’s about to click that cleverly-disguised link in a spear-phishing email.
Start with an assessment that answers the following questions:
- How conscious are members of my organization when it comes to security issues?
- How tech-savvy are the workers at my company?
- What programs exist to educate them about company security protocols and their importance?
Understandably, you’ll have a harder time building a security culture in a company full of workers who aren’t familiar with cyber-attack prevention than you will in, say, an IT consulting firm. Knowing where you’re starting, however, will help you determine which programs or initiatives will have the biggest impact on your culture.
Remember that, to get people to change their habits, according to BJ Fogg’s Behavior Model, they must have:
- The motivation to change
- The ability to change their behaviors
- The awareness of triggers that dictate when behavior change should occur
Map any training programs you develop against these criteria, based on the results of your earlier assessment. If your organization is full of technological neophytes, begin with education: these workers won’t be able to adopt proper security measures if they don’t have the ability to understand what they are or why they’re important.
If, on the other hand, your team is on the technological up-and-up, you can focus more on positive reinforcement of triggered good behaviors. Coordinate with the higher-ups in your organization to develop recognition strategies that reward those who take active steps to be more secure at work. We have more great ideas on driving employee adoption in our blog.
On the subject of people, it’s also worth noting that, within any organization, you’ll find employees who:
- Eagerly embrace change and the opportunity to become better workers
- Become fearful in the face of change (or reject it outright on the grounds that “the old ways worked just fine”)
Navigating inter-office politics is challenging for any manager; it can be doubly-difficult for those asking employees to change their routines away from comfortable behaviors.
In these cases, you may find it helpful to identify “security champions” within your office; that is, employees who will get onboard eagerly and evangelize the message of proper security and threat prevention to their colleagues.
Give these workers a public role in your security culture shift. You could, perhaps, give them the authority to dole out rewards for good behaviors observed in the workplace or solicit their input whenever policy or technology changes are proposed. Whatever you decide, make it clear that you value their engagement in your new program. Their enthusiasm will make a powerful appeal for others in your organization to fall in line.
The recognition and reward strategies mentioned above are just one of the policies you’ll want to put into place as you attempt to build a security culture. Having a robust series of documented policies and procedures supports the people you’re attempting to train, whether from an educational perspective (for employees who are new to security issues) or from a point of compliance (for those who understand security best practices but don’t always implement them).
Some of the specific policies you may want to put in place include:
- Documentation of internal security measures
- Role-specific standard operating procedures (SOPs)
- Codified recognition and reward strategies (or punitive measures, depending on your organization’s perspective)
At the most basic level, you need to ensure these are accessible and identifiable to employees. Having policies printed out and filed in your IT office at HQ is meaningless: centralize hosting of vital policies and procedures via your company intranet or storage, and ensure they are clearly labelled and tagged for ease of search. When your employees need information, it should be readily available.
For compliance and auditory purposes, functionality such as Mandatory Reads will enable you to track readership and remind your employees of vital information they need to acknowledge.
But what about actually embedding the message, rather than having employees tick a box without understanding the content?
One route you may want to consider is gamification. In an article for Security Magazine, Lance Hayden, Managing Director of Berkeley Research Group, gives an example of a friend who ran the security awareness program for a large company. In view of the organization’s lackluster approach to security, she implemented a sweeping program that made use of gamification and the socialization of security to get individual employees to take ownership for their actions.
“As the awareness program grew, individuals in the organization grew more skilled in identifying signs of attack and more comfortable reporting anomalies to the security team. As a result, over time, the red team’s cost of penetration began to trend upwards as more people spotted and reported them, shutting down avenues of attack and forcing them to find new ways in.”
Policies are important, but they don’t need to be sterile. Make security fun. The less employees feel burdened by the requirements of your program, the more likely they’ll be to take an active role in contributing to a culture of security.
Technology is discussed last here because, although it tends to be the first place IT and security teams begin their work, it’s ultimately the least important. Having the right technology in place will only get you so far. If your employees don’t understand their role in your security culture and you don’t have the documented policies in place to reinforce these roles, there’s only so much that technology can do.
So update your technology as needed. Adopt new solutions if you think they’ll make a difference in your company’s security compliance. But never think of yourself as “done.” Encouraging a security culture – through your people, policies and technologies – is an ongoing process.
As Mike Saurbaugh, a faculty member with IANS Research, a course developer for Excelsior College and an independent consultant, suggests in an interview with Security Intelligence:
“Developing a comprehensive security awareness program should not be considered a destination, but a journey. It requires dedicated oversight and should be ongoing, with engaging exercises.”
Continually commit to improving your security culture, and measure the impact of your changes not just in numerical metrics but in patterns that suggest security behaviors are being implemented and embraced by employees.
What other steps are you taking to build your company’s security culture? Leave us a note below sharing your experiences and your best tips: