Your People: The Most Important Cybersecurity Layer

happy professionals

What Is a Cyber Security Culture?

A cyber security culture in the workplace refers to employees’ shared beliefs, values, knowledge, and what importance they put on cyber security. Although this will look different in every business and vary in implementation, the core principle of a good culture is an acknowledgement of the importance of cyber security throughout the workforce.

 

The Importance of a Cyber Security Culture

Fostering a strong cyber security culture generally prompts behavioural changes among employees, leading to increased vigilance and a decreased susceptibility to human-led cyber-attacks.

88% of cyber-attacks are caused by human error*, which can be avoided. A good cyber security culture aids in reducing the number of cyber-attacks caused by human error and minimising avoidable losses.

An important aspect of a good cyber security culture is to remove any blame and shaming of individuals who may through lack of awareness or simply by accident breach protocol or even create a breach. Instead, a culture of transparency and honesty where staff are praised for being open and honest so that mitigation strategies may be deployed to prevent breaches in future.

 

Advantages and Business Impact of an Effective Cyber Security Culture

Business Continuity:

A well-established cyber security culture can ensure business processes remain uninterrupted. Cyber incidents, no matter how small, waste time and have disruptive consequences. The increased awareness that comes with a good cyber security culture contributes to a reduction in the number of security incidents. This reduction will allow your business to run smoothly: saving you time, money, and resources.

Protection of Sensitive Data:

Similarly, your employees placing value on good cyber security practices prevents many instances of data theft. In a workplace that lacks a good cyber security culture, data can be leaked through carelessness and poor management of information. Instances where this might occur include:

  • Failing to ‘lock’ devices.
  • Failing to follow password policies correctly.
  • Falling victim to social engineering or phishing attacks.
  • Falling victim to malware.
  • Inappropriately discussing confidential information.
  • Failure to notify your DPO when a suspected breach may have occurred.

Cost Savings:

Effective cyber security cultures can save money by avoiding:

  • Legal repercussions.
    • Maintaining a cyber security culture will likely keep you compliant with the Data Protection Act, specifically ensuring that data is “handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage”.
    • This could otherwise be broken by employees that don’t realise the significance of cyber secure practices when handling data. Instilling this value minimises the risk of fines by regulatory bodies such as the ICO, which can reach up to £17.5 million or 4% of your total worldwide turnover.
  • Recovery costs.
    • Cyber incidents that result in compromised or loss of data often require data recovery services. This can be costly, and prevention is far more cost-effective.

How to Establish a Cyber Security Culture

Start at the Top:

Conversations about cyber security must begin at director level. Cyber security is a boardroom issue – the board of directors should establish cyber security strategy and the culture will permeate through the business. You can read about the importance of this approach here.

If you are a director, it is your responsibility to raise cyber security at the board until you are satisfied that the whole business recognises its importance. If you are not a director, it is your responsibility to raise this with a director. As a member of your business, you have a duty to ensure that all possible steps are taken to protect your colleagues and those of the public that you are engaged with.

Implement Schemes:

Government-backed schemes, such as the UK’s   are a great way to implement a cyber security culture in your business. Cyber Essentials Plus is a set of controls that organisations can choose to follow that improve their cyber security policies and practices. These can then be audited, earning the business a certificate to prove that they have a solid base for cyber security.

When your organisation adheres to specific standards surrounding security, it sets an example for all employees – especially when those standards are audited by an official body.

Proper implementation of CE+ will likely change the way that employees approach things. With implementation of CE+ comes controls such as Multi-Factor Authentication, which will remind employees daily and often that they are in a company that places high importance on its cyber security.  Other control measures that can be implemented include  , an Information Security Management System.

Conduct Phishing Simulations:

Phishing attacks were the most common form of cyber-attack reported in the UK in the last year: 79% of UK businesses reported experiencing a phishing attack. Phishing attacks were also seen as the most disruptive attack that organisations face, perhaps because of the sensitive nature of the information that these attacks typically steal.

Conducting planned and simulated phishing attacks aimed at employees of your business gives you an understanding of the level of vigilance and cyber security awareness your staff have. It allows you to identify employees that are falling for the fake phishing attacks, who can then be notified and provided with education so that it is less likely to occur with a real phishing attack.

Phishing simulations are effective reminders to staff of how vigilant they must be when opening emails, texts, or any other form of communication. The intention of them is not to punish those who fall victim to the simulation, but to educate, remind, and foster a supportive cyber security culture.

You can launch phishing simulations via cyber security firms – ensure that you find a provider that can tailor the campaign to your needs, so that you can maximise the benefits.

Culture is Key

In a workplace culture where cyber security is treated as vital, the weakest link of the business is strengthened: the worker. Once the worker is aligned with the business’ cyber security goals, the staff become the most important and effective layer of protection.

It is essential that an employee understands that the senior management are vested into a culture of transparency and openness. They must know that they will be educated on good cyber security practices and thanked for raising concerns or suggestions for improving cyber security. This ensures that the employee will act in the best interests of a strong cyber security culture.

A strong cyber security culture ensures a business is best placed to be aware of and assess cyber risks and can therefore implement effective mitigation strategies.

 

References:

https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023

https://blog.knowbe4.com/88-percent-of-data-breaches-are-caused-by-human-error

Share this post:

Other posts you may be interested in

Book a free consultation with a Cyber Safe expert

Our experts can discuss penetration testing, web or mobile application pen testing, continuous protection, and all levels of certification.

Contact our cyber team to discuss any and all of your cyber needs.
Fill in the form below and one of the Cyber Safe experts will be in touch.
Contact
  • Newcastle office: 0191 249 3003
  • London office: 0203 793 9679