In the previous blog in this series, we explored the commonly overlooked areas within human risk management, and why they’re so important to cover at a time when humans are responsible for the majority of cyber breaches. To complete the series, we’ll look at how to address human risk in practice, by developing a positive, engaging, and proactive secure culture throughout your organisation.
A key point to emphasise is that merely ramping up current security awareness training programmes is nowhere near enough these days. Neither is simply ‘giving up’ on human security best practice because the training isn’t getting through, and instead putting all your security eggs in the solutions and technology basket.
A secure culture is vitally important because so many cybercriminals are now successfully exploiting human psychology and emotions. They’re attracting the attention of people who feel curious, angry, scared or any other type of emotion, who are then driven to open malicious attachments or click on dodgy links by their heart rather than their head. Developing a secure culture maximises the chances of employees making decisions with their heads instead.
Before we go into the practicalities of a secure culture, it’s important to differentiate it from traditional security awareness training.
The main difference can be found in who is making the effort to apply security best practice. With security awareness training, that resides with the CISO, the security team, or (if applicable) the IT team in general. They’re responsible for drilling vital information into the minds of the workforce, but the success of this training is entirely dependent on the willingness of each individual employee to engage with the subject matter and take it seriously.
On the other hand, with a secure culture, that effort is made by absolutely everyone across an organisation, whether they work in IT and cybersecurity or not. This is where everyone is empowered to understand why security best practice is important, what the consequences are if a breach occurs, and are proactive in upholding those standards.
So how can you develop that secure culture and reach that state of constant awareness and proactivity? Well, firstly, it’s not something that’s going to happen overnight: it will take gradual change and adjustment to security processes and frameworks, many of which will have been ingrained within organisations for years or even decades. We recommend these six vital steps as the best starting point:
Assess security posture and awareness: look at your current security situation and how data is handled. See if there are patterns in good or bad practice across employees, vendors and channel partners, and whether there are any teams or processes that are especially vulnerable
Identify and analyse threats: prioritise any risks and threats that you know about, and simulate scenarios when they arise, so that you can better formulate responses to them. Partnering with an expert third party can help here, so that you can gain an objective view of where you might have weaknesses in your response strategies
Investigate employee behaviours: look for any pain points in day-to-day employee activities where they may be especially vulnerable to poor practice or simply dropping their guard. Start to bring in regular, gentle reminders that can gradually encourage employees towards better user behaviour and security practice
Gain insights from past incidents: any breaches or incidents that you have previously suffered are full of information and learnings that you can take forward. Explore what went wrong and why, and ensure the right measures are in place to prevent those issues from reoccurring
Change processes and training: with all of the above complete, you can then set about remodelling your processes to support better behaviours. Communicating the change is vital to ensuring strong employee buy-in, and helping promote regular training and constant, proactive best practice at all levels of the workforce
Automate where possible: technology still has a role to play, especially in areas where it can reduce the risk of human error. Investigate solutions such as user access and authorisation, multi-factor authentication, password management, spam filters and encryption, as well as AI-supported security tools that can flag up (and sometimes automatically deal with) anomalies
Developing a secure culture is a gradual process, but one that is well worth the time and investment along the way. With a strong, sustainable secure culture in place, you’ll find it far easier to keep data, systems and applications safe, and reduce the threat of constant security events overloading your solutions and security team. And at a time when both cyber threats and penalties for security non-compliance are both increasing, a secure culture can make a real difference to the future success of your business.