How to create a security-focused work culture

Learn how to beef up your company's cyberdefenses by training employees on cybersecurity policies and procedures, password management, and phishing.

Image: iStock/NicoElNino

When it comes to cybersecurity, it appears we humans are the weak link in the chain; that opinion, sadly, is backed by study after study. For example, Shred-it, a well-known information-security company, reveals in its State of the Industry, Information Security report that:

  • Nearly half of participating C-suite executives and small-business owners reported that human error or accidental loss precipitated the company's data breach.
  • One in four C-suite executives and one in five small-business owners, who participated in the survey, reported human error or accidental loss by an external vendor caused their organization to suffer a data breach.

In a press release about the report, Monu Kalsi, vice-president of Shred-it, is quoted as saying, "The study's findings clearly show that seemingly small habits [of employees] can pose great security risk and add up to large financial, reputational and legal risks."

SEE: Security awareness and training policy (Tech Pro Research)

Most proposed solutions suggest that workers need training--that sounds about right, but what does that mean in today's digital work environment, where keeping up with cybercriminal tactics is far from simple? Kalsi suggests:

"Smart information security begins with giving employees access to information security practices and training. Through consistent training and education, businesses of all sizes can take back ownership of information security and create a more security-minded work culture among their employees."

Back to basics: Cybersecurity training for employees

The Business Matters magazine article Three cybersecurity tips to help train your employees digs deeper into what Kalsi is referencing when it comes to employee training. The authors want company management to take training a step further--for starters, make the training material understandable, and ensure employees comprehend what's being asked of them.

Cybersecurity policies and procedures

It's not rocket science--if employees are not aware of their obligations regarding relevant policies and procedures, one should expect cybersecurity events. "The fundamental issue here is that policies and procedures are never actively taught, shown, or provided in context," suggest the authors.

SEE: Information security policy (Tech Pro Research)

To make matters worse, company guidelines are often complex, confusing, or so generic they are difficult for employees to apply to their specific circumstances.

The authors' solution involves the following:

  • Those responsible need to review the company's cybersecurity policies and procedures, ensuring they are understandable, applicable, and up to date.
  • How company-owned and/or personal digital equipment is used needs to be spelled out; otherwise, it will be difficult to secure the company's digital infrastructure.
  • Ask any teacher, "telling" is the last thing that works when trying to explain a complex subject--what does work is showing employees what needs to be done.

Password management

Security experts have been trying to get rid of passwords for a long time, yet passwords are still used and are protecting vital hardware and software assets. Knowing that, employers and employees need to come to an agreement as to what is a workable and secure situation.

SEE: Password management policy (Tech Pro Research)

The article's authors suggest that company management should implement advanced password-management tools and reward employees who follow company policy. At the same time, employees must accept responsibility--starting from the C-suite down through the ranks.

"At every stage they should be sitting down with employees and explaining the business benefits of comprehensive password security and in a way employees understand," explains the authors of the Business Matters article. "Providing real-world examples such as identity theft and data theft, for instance, can help to get employees on board."

Educate users about phishing

Fraud has been around a long time, and fraudsters are becoming proficient at the digital version--phishing. Since this targets humans directly, cybersecurity technology, is for the most part, ineffective. "The challenge is educating employees on phishing so that they can identify a phishing attack--particularly if they are using an endpoint device such as a mobile phone or laptop--and follow through with reporting it," note the Business Matters authors. The article goes on to suggest a company's security personnel should "show/explain" what a phishing attack might look like and cover the following.

Email address: It is possible to automatically detect "known" fraudulent email addresses, but employees should be suspicious of unknown or unusual email addresses.

Greetings in the email: Phishing emails typically use generic greetings--be suspicious of emails with non-personal greetings and are asking for sensitive company data or personally identifiable information (PII).

Grammar and style: A dead giveaway would be emails with spelling or grammar mistakes--use an out-of-band method to check legitimacy.

Link destination: Phishing experts urge caution when there are active links in an email (spoofed URL)--check out the accuracy of the destination before clicking on the link.

Immediate action: Hastily-made decisions usually end up being regretted; cybercriminals rely on that, so don't give them that edge.

Images and logos: Do not base authenticity on logos or images--it is very easy to insert visual content into phishing emails, malicious websites, and forged electronic documents.

SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)

Final thought

Showing instead of telling and getting employee buy-in are cheap, logical, and efficient ways for business owners to increase their company's cybersecurity. The article ends on a positive note: "Regular cybersecurity training and review of policies and procedures will help to build a culture of cybersecurity within a business."

Also see