Best practice insights for building a security-centric culture that can withstand any attack in any organisation
The 2019 CISO Alliance Information Security Survey dug into how South African large organisations are running security awareness and what measures they were taking to protect their business and improve their user’s security cultures. The report found that 80% of those surveyed had made security training mandatory, 50.6% were using rewards and 26% were applying punitive measures. Best practice lies in an intelligent blend of all three, suggests Anna Collard, SVP Content Strategy & Evangelist KnowBe4 Africa.
“The best approach would be a combined one, the carrot that gives people the rewards for participation and good behaviour and the stick that reprimands those who consistently fall for attacks that they shouldn’t have,” she adds. “By blending rewards, ongoing training, phishing simulations and punitive measures, companies are more likely to get employee buy-in and adherence to security rules and regulations. It’s also important to get buy-in from the executives and management – everyone needs to be involved.”
To really embed a culture of security, there have to be people committed to making it happen on every level. Video clips of the CEO talking about basic security measures, tabled minutes in board meetings that focus on how to improve security hygiene, and consistent company-wide communication – these are all very good steps in the right security direction. If the CEO and other leaders within an organisation show their commitment to security, it gives weight to the initiative and to employee buy-in.
“People look to their peers and leaders when it comes to their behaviour and decision making, so make sure everyone recognises the value that the organisation places on security,” says Collard. “It’s also important to include empathy and understanding for the different audiences in the organisation. From HR to IT – every business area has different needs and requires a different approach. In the call centre, for example, there are usually a lot of young people and the turnover is high, so you’d want short, humour-driven narratives that are story-based and easy to digest. Executives are time poor – so give them short bites of highly relevant information.”
Make culture testing part of the process. This is regularly assessing people’s understanding, attitudes and behaviours in relation to cybersecurity. A measurement tool such as a culture assessment provides insights into the messaging required and highlights improvements or areas that need more work. Within this, it’s also important to ensure that the content used in training is as personally relevant as possible so that people pay attention.
“With people now working from home, it has become as essential to secure the home network as the new office,” says Collard. “If the network is compromised, it can affect more than just corporate information, it can have an impact on the children and family as well. This is important information to include in the training – if people realise that their security training is not just protecting the organisation but their personal lives as well , then they are more likely to be vigilant and compliant. Put in nuggets about online schooling, cyberbullying and hacking. This helps everyone and builds a truly solid cybersecurity culture.”
Mandatory training is a fundamental part of any successful security training campaign and culture, but so are incentives such as rewards and negative consequence management. “Successful reward schemes are public shout outs for users identifying and reporting attacks, a raffle prize for the first group completing their training as well as paying a bonus amount to everyone who hasn’t fallen for a phishing test all year,” Collard says. If people adhere to the rules, catch phishing emails, report suspicious activity and generally come to the proverbial party, then it’s best to recognise their contributions and the value that they add. This is as important as putting security training into KPIs and pushing completion as part of onboarding and annual reviews. But so is remedial training and even disciplinary action for someone who consistently clicks on real or simulated phishing emails. The risk to reputation is too great to allow for mistakes.
“In the past, security training was something that you could do if you wanted to know more, now it’s becoming embedded into roles and responsibilities,” concludes Collard. “The message that every organisation needs to send is this – security is everybody’s responsibility, so let’s do it together.”
There remains a steady shift in attitude and approach across the country as organisations recognise the value of training and culture in building a robust security posture.