The threat actors have not only grown in numbers but have also become more sophisticated. They have mastered speed, precision, and agility in their endeavours than the internal security teams. As technology is evolving, malicious actors have automated their actions to make the hard tasks of Identifying potential targets easy. But on the other hand, the high interconnectedness of most organizations increase attack vectors and the impact during an attack. We also read statistics on the period an organization takes to detect a breach being 200 days (a Ponemon Institute report).

The predominant traditional goal of Information Security aims at the right technologies, processes, and measures. These protect corporate networks, core systems, and company sensitive data from attacks. But statistics from Mandiant Security Effectiveness Report 2020, show that 53% of successful cyber attacks infiltrate organizations without detection. About 91% of all cyber incidents targeting organizations do not generate intrusion alerts. Henceforth, the predominant traditional cyber security techniques alone can not guarantee total organizational security. In this article, I will be hinting at the role cybersecurity culture plays to combat the prevailing cyberattacks on organizations

What must you know?

Just like culture defines the social behaviour and norms found in human societies. Organizations should empower their employees to face the more prevalent and sophisticated attacks as a daily social behaviour. This will help employees not to put company data at risk or fall victim to cyber incidents.

Today most businesses are investing heavily in cybersecurity mostly basing on technology and ignoring the human element. The human element is evident to be the top security risk for any organization

NOTE: Humans will always be responsible for making or breaking business’ cybersecurity defences, especially when there is a lack of cybersecurity awareness. Staff may not understand the seriousness of a cyber threat and how it could severely impact the reputation of the company, and their jobs. The poor cybersecurity posture of organizations’ networks, leads to loss of sensitive data and money. Cybersecurity vulnerabilities in all organizations (both small and large) have always existed and are not about to end. The best remedy for organizations to protect themselves is increasing cybersecurity awareness.

Why should organization embrace cybersecurity as a culture?

Cybercriminals will continuously do what they do best (conduct attacks) on organizations. They use a variety of techniques like social engineering (phishing emails). These attacks target vulnerable employees and if found unware of the likelihood, the aftermath can be devastating.

Employees act as the first line of defence to your organization’s fortune and they need to be empowered (Awareness training). The technology that an organization possesses does not operate itself, humans are needed to operate the technology. Organizations should focus their investment on Awareness training to impart knowledge on how to overcome the prevailing attacks. It is also evident that staff have everyday privileges of access to the organization’s core systems and private data. This means that they are essential when it comes to building cyber resilience of the organization’s threat landscape.

Case study:

Taking into account disgruntled employees that wish to revenge on their former employers. Take a look at the case on the internet of Jason Nadeen:

Jason was an employee of an engineering firm Allen & Hoshall in Tennesee until 2015.

After he left for his firm, he still had access to his former employer’s file servers and email. This was anticipated to have happened for over two years undetected. He downloaded sensitive documents and designs for the organizations and other sensitive files worth roughly $ 425,000. Nadeen was convicted after he accessed a former colleague’s email account. He claimed, in court that he was just checking in on his old projects out of habit and concern. The story seemed a hard one to digest. A client he pitched after accessing a proposal meant for Allen & Hoshall recognized the proposal which led to his conviction.

The FBI got involved on this one and helped Allen&Hoshall put together a case. Nadeen lost his engineering licence and was remanded for over eighteen months in prison

Going forward

A cybersecurity culture in the workplace plays a big role in reducing the cyber risks towards the organization. It also helps improve the organization’s security posture. A security culture does more than the policies that are not well addressed and explained to employees. For example, a password policy that deems employees to use complicated passwords without telling them why. Staff do not intentionally put their organization at risk, they instead need awareness training and guidance to overcome security events.

The overall purpose of an organization building a cybersecurity culture is not to implement security regulations. But spending more time explaining to their employees about possible cyber risks their implications. The cybersecurity norms introduced help the staff to conform with any trending vectors in their daily work routines and practices. But also elaborating the impact of how their behaviour can help or hinder the entire organization’s structure.

Recommendations

Good and sustainable cybersecurity calls for a blend of both teaching offensive and defensive mechanisms. These will guide staff on how they can protect company assets in case the offensive traits surface. Security professionals may understand the implications of a very bad security posture (an organization full of vulnerabilities ). But a lay worker like a receptionist or gateman or cook does not understand this at all.

Just like earlier mentioned that employees act as an organization’s first line of defence. It is the role of the organization to enhancing the knowledge of staff to understand network threats. And also learn about new threats and their impact, but most importantly learn how to respond to threats promptly.

To this end, Summit Consulting has helped so many organizations to empower employees through Awareness training. Where we demonstrate the impacts of attacks as well as how staff can respond to the attacks once they strike. We highly recommend this training to all organizations irrespective of the size and capacity. And irrespective of the level of staff be it an executive of a cook. That is if organizations are to stand firm and proactive in the instance of attacks.

How should organizations create a cybersecurity culture?

1. Cybersecurity Training and Bootcamps

Training is resourceful whereby all practices of security are administered during the training. Practices like embracing the use of a strong password, never reusing passwords, and not sharing passwords can be embraced. For governance purposes, a password policy can go very far if implemented on the network domain and followed by all. Standard password policies create an effective line of defence, making it harder for attackers to break into the corporate network. Preaching the benefits of using 2FA which adds a layer of security to the baseline and limit access to accounts. Will protect organizations from attacks like identity theft.

Another good practice is implementing access controls and allocate privileges to users according to their level of data access. But also not forgetting to deactivate former employees from the system and deny them access to the core systems. This will help to prevent data leakages.

2. Make ongoing cybersecurity training schedules for staff

During our client engagements, we find that clients conduct awareness training once a year. And once training is conducted, many organizations feel it’s a wastage to conduct another since their budgets have other requirements.  According to this experience, many organizations survive on God’s mercy for not being breached. Although many others are breached and can’t tell.  In most cases, staff only take training seriously during the training and when they step out, they switchback. This continuously puts the company’s digital and valuable assets at risk.

But with continued cybersecurity training, employees are guided on how to conduct themselves while using digital devices over and over. A repetitive process is not forgotten easily and concepts are continually grasped. While in the training, it is important to let staff know how important their role is in the company. It is also value-adding to show them how they can reduce the risk profile of the organization.

3. Monitor post-training behaviours

Organizations should avail prizes to better security performing staff by throwing competitions as part of security training. This helps to keep track of the training effectiveness. Through quick and regular assessments and tests, make sure that the training you provide is useful to staff. The training should provide concrete knowledge for your employees. These metrics will show you how far you’ve come with building and developing a cybersecurity culture.

4. Communication channels where staff can report threats easily

In the whole process of building the security culture, all communication needs to be open with all departments. Staff need to feel positive about reaching out to the security department to report something or react when they mistake.

Employees need to collaborate with the security team where they get help in case of any security challenges. The security teams provide deeper knowledge and insights to queries from other employees. This makes staff feel the impact of their role in the cyber security culture.

It is of great value for organizations to create communication channels where employees can easily reach out to security experts. This will help them to report anything suspicious or make any inquiries and or request refresher courses in cybersecurity training.

Conclusion

An organization with robust security systems intertwined with a resilient cybersecurity culture will guarantee the organization’s security. And also will reduce the likeliness of successful data breaches.