Building a Cyber Smart Culture
Most cyber professionals realise that one of the key pillars of an effective security posture is for employees to be educated and engaged in the process of keeping the organisation secure. However, many corporate workers are unaware of their role in protecting their businesses against cyber crime, and many believe that security is not part of their responsibility. We have recently conducted a study surveying 331 senior executives from various organisations in 14 countries1 which revealed that a worrying 45% of respondents believe cyber security has nothing to do with them.
The research suggests that this disconnect stems from the traditional approach taken by IT security teams to raise awareness of cyber security issues and drive engagement. 60% said all employees in their company receive the same cyber security training, despite significant differences in roles and security issues they face. And, of the businesses that provide role-based training, 61% currently find it ineffective suggesting that most rely on basic annual security training methods rather than considering how to empower colleagues to take collective ownership – or share the knowledge they need to form the first line of defense.
The need to educate, engage and equip employees is more critical now than ever. A significant percentage of business communication currently occurs outside of the corporate network, because of the move to home-based working. Cyber criminals are taking full advantage of the circumstances to exploit these vulnerabilities. Something has to change.
Creating Cultural Change
The goal of any for cyber security awareness and education initiative should be to build a sense of collective responsibility where everyone understands how their job contributes to the company’s overall security posture, and ultimately how that helps the business achieve its goals. But what can we do differently to drive this if the traditional methods are working?
Listen to the non-experts
Our findings highlighted a misalignment in the views of two categories of employees: technical respondents and non-technical respondents. Non-technical employees, who form the majority in most organizations, do not appear to be telling IT as much as IT would like to believe, and are more worried about blowing the whistle. These are the kinds of discrepancies that organisations can smooth out with better communication, and that means actively listening to feedback. Only by listening to staff will a security team be able to create and implement the correct measures to empower those staff to work securely.
A colleague of mine shared recently that in his old role as a CISO he had an eye-opening conversation with his Finance department. He discovered that his training around the tell-tale signs of a phishing email were irrelevant because that department had to deal with suppliers and communications from across the world and so asking them to ignore any emails that appeared grammatically incorrect would have meant they could not do their job.
To build a more effective culture then, it is clear that cyber professionals must foster clearer modes of communication that allow them to listen to what non-technical employees think about cyber security and what they need, and use that feedback to create relevant measures and controls.
Think about education, not training sessions
Our survey also revealed why employees consider cyber security training to be such a turn-off: Just 26% of non-technical workers find the training engaging, 32% say it is too long, 35% are bored, and the same percentage say it is too technical. This apathy is being exacerbated by the fact that most training is now delivered online and 45% of non-technical workers described online security training as ineffective.
Clearly, there is a need to change the content and delivery of training sessions but our survey suggests that education must be viewed more holistically. Most non-tech respondents (69%) claimed that that training is most effective when it involves games, rewards or quizzes to improve security awareness or behaviors. And two-thirds (66%) believe in the effectiveness of signs, posters and notices (physical and digital) that promote awareness and security best practice. The idea of gamification is an easy way for companies to make training less of a box-ticking exercise, at least for non-technical staff.
Get personal
Our research suggests one way to combine behavior change and knowledge: getting personal. The most common cyber security-related conversations respondents have with colleagues are about personal settings (such as the use of work tools on non-work devices – and vice versa) and working remotely.
This natural interest presents organizations with an opportunity. Innovative and interactive training on issues employees encounter in their personal context is likely to get strong engagement, yet it could convey many of the same behaviour shifts and lessons that are needed in the work context. This is the kind of technique that organizations can use to turn employees from security practitioners into security advocates, a hallmark of a cyber smart culture, while making it more likely that those employees will remember how to act.
Security is everyone’s responsibility
Organisations can build a cyber smart culture by getting creative with the content and delivery of their training, by listening to the “feedback from the floor” and by considering how cyber security impacts their staff. It is vital that businesses apply these lessons because, according to our research, 78% of respondents believe cyber security has moved up the priority list in 2020. This gives organisations an opportunity to tackle the culture challenge as employees are anticipating it.
Building a Cyber Smart Culture must be given the same priority and investment as the process and technological measures an organisation implements to create the secure posture that makes it resilient to modern cyber threats. But it is time to put to rest the idea that CISOs and their teams are the only ones who are responsible for cyber security, and the only ones that should advocate for better practice: everyone in the organisation should play a role.
Notes
The global survey was carried out in September 2020 by Longitude / Financial Times on behalf of Fujitsu.
About Fujitsu
Fujitsu’s advanced security solutions help businesses and public agencies minimise disruption and maintain business continuity by strengthening their security strategy and operations across every level of an organisation. This means intelligence-led solutions supported by an integrated and collaborative approach to cyber security challenges – all delivered to the highest security standards. This enables organisations to adopt a security model that retains the elasticity necessary to operate in the current conditions and offers security without hindering business growth.
Dan Patefield
Dan Patefield
Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.
Before joining techUK he worked as Forum Lead for the Westminster eForum. In this role he had a focus on the technology and telecoms space, on issues ranging from Broadband and Mobile Infrastructure, the Internet of Things, Cyber Security, Data and diversity in tech. Dan has a BA in History from the University of Liverpool.
- Email:
- [email protected]
- Phone:
- 020 7331 2165
Jill Broom
Jill Broom
Jill is techUK’s Programme Manager for Cyber Security, working across the cyber eco-system to bring industry together with key stakeholders across the public and private sectors.
Prior to focusing in on techUK's cyber security work, Jill was also part of techUK's Central Government programme team, representing the supplier community of technology products and services to Whitehall departments.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
- Email:
- [email protected]
- Twitter:
- @honeybroom
- Website:
- www.techuk.org
- LinkedIn:
- https://www.linkedin.com/in/jill-broom-19aa824
Annie Collings
Annie Collings
Annie joined techUK as the Programme Manager for Cyber Security and Central Government in September 2023.
Prior to joining techUK, Annie worked as an Account Manager at PLMR Healthcomms, a specialist healthcare agency providing public affairs support to a wide range of medical technology clients. Annie also spent time as an Intern in an MPs constituency office and as an Intern at the Association of Independent Professionals and the Self-Employed.
Annie graduated from Nottingham Trent University, where she was an active member of the lacrosse society.
- Email:
- [email protected]
- Twitter:
- anniecollings24
- LinkedIn:
- https://www.linkedin.com/in/annie-collings-270150158/