Security-consciousness is more natural for some organizations than others. For certain industries, like finance or data management, it is almost ‘built-in’… but, all companies are a target for data breaches and ransomware, and employees are a primary entry-point for hackers, so how mindful your people are of security risks is increasingly important. The traditional response to this has been a one-and-done end-user training. A deeper avenue is to equip your employees with an awareness of the risks, and the behaviours to mitigate them – but if they aren’t motivated to comply, this can fall flat. So, how do you create a work culture that is security conscious, when you are not in an industry where it is already ‘built-in’?
The answer will require collaboration across multiple teams, top-down and bottom-up tactics, and making the solutions you implement both visible, and pervasive. Below are five considerations for building a security-conscious work culture.
New policies are difficult to introduce, but they are foundational in achieving cultural change. Ensure you have stakeholders across departments participate in their development, such as human resources, communications, facilities, information technology, data governance, compliance (if you have them). Some items worth including:
Tailgating - A policy around tailgating (following an authorized person into a room or building) provides rudimentary benefits towards security consciousness. One, it encourages the understanding that security is not just ‘digital.’ The second is that it is pervasive – if your employees are thinking about whether somebody is behind them every time they enter the building, security starts to become a top-of-mind consideration.
Passwords - Passwords are also pervasive as they’re being entered multiple times a day, so it is important to have a policy that prevents sharing of passwords and requires good passwords (which we discussed in the context of the Air Canada Breach). Of course, no matter how complex your password is, the risk these days is of it being compromised rather than brute-force tactics to ‘determine’ it, which may cause you to re-evaluate how often your team is required to change their password.
It’s Always OK to Ask - Your staff should know that they can ask whether something is in keeping with the policy, or with being secure in general. If employees are afraid to ask due to risk of embarrassment, you risk being unaware of bad behaviours, such behaviours continuing, and undermining your cultural shift. Include this in the policy so that there is no question that there are no bad questions.
Communicate regularly and meaningfully to ensure something is culturally ingrained. Each of the items we discuss in this post need to be supported by communications to inform your staff. Regularly does not mean “once, just upon introduction” – make sure you follow-up with how the organizational change is progressing. Communications should include both what the policy/process/system/behaviour is, and why. Be transparent; explain that this policy is in place to reduce a specific risk. Understanding why helps keep employees compliant. Engage Communications, Marketing, or Change Management to communicate this effectively. This is part of why they should be included in the policy determination process.
3) Hiring Practices
While we are not suggesting you re-staff your organization, you can consider security-consciousness (or, risk-aversion) in the hiring process moving forward. For certain roles that have access to sensitive data (such as analysts, human resources, etc.) you may want to weight it higher than others. A short-cut here is to consider candidates who worked in an industry like those discussed above where security-consciousness is almost ‘built-in.’
You can reinforce your policies and encourage desired behaviours after the hire as well; consider including a review of the policy to your onboarding process or adding a security section to your employee handbook.
For physical security, code-access locks, key cards, biometrics, motion sensors, and cameras could be the very things your organization hasn’t invested in if you aren’t in certain industries, so we aren’t going to cover them individually.
Something to note about technology is that for it to impact your culture, it needs to be both visible and effective – there is nothing more undermining to a security-conscious cultural shift than for employees to know a camera doesn’t work, or that the lock to the data-centre is broken. So, technology can be a double-edged sword; it can influence the culture toward being security conscious, but it can also cause employees to engage in compromising behaviours if its value is not apparent.
For cybersecurity, what better to contribute to a risk-averse culture than for your employees to know that ActZero Threat Hunters are actively patrolling their environment? Our monthly report provides metrics you can share with your team to demonstrate how you are improving, and just how many threats are being detected and responded to every day.
5) Social / Behavioural
Ultimately, the culture of your organization is social in nature so we can’t leave out the social and behavioural strategies you can take to achieve security-consciousness.
Personal accountability can help remove the diffusion of responsibility problem (eg, “Security? That’s IT’s job”). Having employees feel they are personally responsible can be the difference between saying something and not. On that note, encourage your employees to say something if a suspicious email comes through (it may have gone to the whole organization). If people are the weakest link in your cybersecurity prevention posture, then calling "heads up!" can accelerate the "slowest buffalo”. Additionally, conducting “fire drills” regularly for responding to a cybersecurity incident (for more on this, see our post on how Ops can help) helps ensure everybody is prepared, and further increases the likelihood of your other behaviours entering culturally-influenced regular behaviour.
Note that setting and communicating policies, investing in technology, changing your hiring/onboarding practices, and evoking social change all take time. If you are looking to fast-track your company’s prevention posture, reach out to our experts today.
This list is not exhaustive – what steps have you taken to make your work culture more security-conscious?