Every organization is just as secure as its weakest part. The experience of many companies shows that employees, either ordinary or management representatives, are often the most vulnerable.
Cyberattacks are becoming more and more sophisticated and frequent. Attackers target companies regardless of their size or the sector in which they operate. And therefore, in today’s digital era, cybersecurity and building its culture in the organization should be the priority of every society. This is more important nowadays when more and more employees due to the global coronavirus pandemic work from home, blurring the boundaries between private and personal life.
Despite the fact that every employee should be responsible for company’s data and information protection, every organization must provide convenient conditions so that individual employees can apply best practices in the field of cybersecurity.
In the cybersecurity month within this week’s topic “creating a cybersecurity culture in the work environment” we have prepared several tips for building the cybersecurity culture in your organization.
Education as part of a work routine
Awareness of cyberspace risks and preventive measures must be an essential part of the work process. This also applies to a new employee. We all know it very well – we hire a new employee who needs to be “trained” in safety at work, fire protection, a basic training for using systems, etc. A basic training in the field of cybersecurity must be part of this package. And not only that. A regular retraining of all employees including the managers contributes to security awareness dissemination and acquisition of the cybersecurity culture in the workplace. Your employees will appreciate that you are serious about the cybersecurity. As a bonus you can certainly count on fewer cybersecurity incidents which were caused by human ignorance.
Let’s get this straight – trainings may be quite boring for your employees. And if an employee doesn’t enjoy the subject, they will not develop any habits to protect themselves and the organization from cyber threats. However, this can be avoided – take the cybersecurity training as a game. Table-top exercises, gamesome trainings or demonstrations of specific threats can attract the attention and this topic will be better grasped by employees.
The advantage is the opportunity to practice own processes and procedures within the organization as well as to make employees’ working hours more varied. Exercises can be for example a part of teambuilding activities. Common security awareness leads not only to the organization protection but also to strengthening the work team, which will definitely bring better results.
Tests of accuracy
Educating your employees is one thing – but how can we verify that they have mastered the security rules and really apply them? Let’s take a test of accuracy – send a suspicious e-mail to all or selected employees and check their reactions. Or let’s drop the USB key in a public place and watch what happens. One big warning – such activity must be monitored and subsequently evaluated. As a result, we will know in which area of security we should improve.
Cybersecurity is a very broad topic that cannot be grasped by one person. Therefore, regular trainings should include the most important minimum that needs to be mastered. However, it is important for your organization to be able to respond to new threats also within the cybersecurity culture. Thematic trainings, for example on various forms of phishing or ransomware, will certainly help your employees to be on alert.
Hygiene not only in the bathroom
Keep repeating the basic security principles to your employees. And not just on regular trainings. Use other tools as well – information posters with security rules graphics, tables indicating threats, security newsletter … cyber-hygiene should be everywhere. Your employees will always keep security rules in mind.
Work from home
The cybersecurity culture doesn’t start inside the organization. It is also present outside the workplace, especially if your employees work from home or on a business trip. Make sure you follow the security rules outside the workplace as well. SK-CERT already published recommendations for employers on how to properly set up work from home (https://www.sk-cert.sk/en/the-national-cyber-security-centre-sk-cert-recommends-employers-how-to-safely-set-rules-for-home-office/index.html). We also created a set of basic rules for employees (https://www.sk-cert.sk/en/the-national-cyber-security-centre-sk-cert-recommends-employees-how-to-safely-work-during-home-office/index.html)
Don’t forget the experts
Cybersecurity specialists are the backbone of protecting your organization’s systems and networks. Do not underestimate their motivation and value. Allow them to be educated, send them to expert conferences and communicate with them about their needs. You will benefit from investing in the development of these employees in the future, for example, just by having a good team that will develop and enhance the cybersecurity culture in your organization.
Changing the cybersecurity culture in the organization is not easy. In fact, it is not just an aspect of cybersecurity awareness. There is much more – understanding the importance of the topic, motivation and willingness to participate in activities in this field play a major role. A strong and resilient cybersecurity culture definitely helps to protect the organization from cyber threats.
We need to understand the difference between security awareness and security culture. Security awareness is the knowledge and attitude that members of an organization possess regarding the protection of that organization. Security culture is more profound than awareness because it is an automated process. This cycle should be implemented and become part of daily life in the organization through the cooperation of all persons, from the management level to employees.
« Späť na zoznam