Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.
Cybersecurity has long been top of mind for organizations of all types and sizes. The pandemic has shifted these concerns and, in many ways, made them even more complex and front and center. As a Fortune article pointed out in April, “The hybrid office will create great opportunities — for companies and cybercriminals.”
Those opportunities, of course, are already being created. They won’t be solved through one-off, episodic initiatives designed to raise awareness and change engrained employee attitudes and behaviors. Only a strong security culture can do that.
The Critical Importance Of A Strong Security Culture
What is “security culture”? It is the ideas, customs and social behaviors of an organization that influence its security. It is the most important element in an organization’s security strategy. And for good reason: The security culture of an organization is foundational to its ability to protect information, data and employee and customer privacy.
Some companies are beginning to get it. They are moving beyond tactical, episodic approaches to security and recognizing that effective enterprise-wide security requires a strategic, long-term approach, focusing more on communication and culture than exhortations from IT and an ongoing stream of new policy mandates.
It’s disheartening, though, that there are still plenty of organizations that don’t get it. This is especially alarming given the uptick in phishing attacks we’re seeing. In their Q4 2020 Ransomware Marketplace Report, ransomware remediation and analytics firm Coveware noted that, for the first time, phishing surpassed other techniques as the most common tool used by hackers to gain access to organizations’ data and information.
The Pandemic Impact
Not surprisingly, during the pandemic, some industries and organizations have seen their security cultures stagnate or decline. As many organizations transitioned to a work-from-home model, new security issues and concerns emerged, with communication and education becoming somewhat more challenging.
Security Magazine cited a study in which 46% percent of respondents experienced “at least one security incident” since the pandemic started. More than half (51%) were victims of email phishing attacks. Covid-19-themed phishing campaigns impersonated trusted brands like Netflix, Microsoft and the CDC to commit fraud, exposing “deeper, more significant cracks in enterprise security.”
Customers of my company (KnowBe4) tell us there is an overt hunger for more focused security information and an awareness that they may have gaps in their knowledge. They feel like they would not be able to detect if their computers were compromised. As we know, threats like ransomware can go undetected and do damage for months before detection, even in top-performing organizations.
Ongoing awareness, understanding and appropriate action are required to ensure organizations’ data is safe and that employee and customer data is not compromised. But information can be confusing.
Inconsistent Messaging Creates Confusion
It’s not surprising that there is so much confusion among employees about what they should and shouldn’t be doing to protect company information. Even something as seemingly simple as using effective passwords has historically been a mishmash of contradictory and changing communications.
Over the past 30 years, security experts have trained employees to do everything from changing their passwords every 30 days to not changing them unless they’ve been impacted by a breach to limiting the number of characters to only numbers or letters to requiring all kinds of numbers, symbols, letters and cases. It’s no wonder that employees are not only confused but burned out by changing and hard-to-understand directives.
We can do better. As we indicated earlier, the key to building strong security behaviors is building a strong security culture. That means an ongoing process that is driven not from the IT department but from the top of the organization down. A process that is fueled by a relentless — and consistent — drumbeat to help employees understand exactly how their daily behaviors have the potential to protect or threaten corporate data.
Building And Supporting A Strong Security Culture
There are some very practical and actionable steps organizations can take to develop and nurture a strong security culture across seven distinct dimensions:
• Attitudes: Employee feelings and beliefs about security protocols and issues.
• Behaviors: Employee actions that impact security directly or indirectly.
• Cognition: Employee understanding, knowledge and awareness of security issues and activities.
• Communication: How well communication channels promote a sense of belonging and offer support related to security issues and incident reporting.
• Compliance: Employee knowledge and support of security policies.
• Norms: Employee knowledge and adherence to unwritten rules of conduct related to security.
• Responsibilities: How employees perceive their role as a critical factor in helping or harming security.
These seven dimensions are measurable via a security culture survey. Start by understanding where you are as a benchmark. Then compare your survey results to those of other industries and build a plan for improvement. For instance, if you realize that you need to up your game in terms of “norms,” then you might consider implementing a security champions program or a mentorship program. If your organization needs improvement in the dimension of “cognition,” then you could assess your security awareness program. You get the idea — understanding where you are provides you guidance on where you can improve.
Security culture is a critical, need-to-have asset in the security toolbox. By assessing employees’ security awareness, behaviors and culture, organizations can adapt their policies and training programs to the constantly changing threat landscape. The alternative becomes less attractive by the hour — do nothing and watch your organization crumble to a halt by ransomware, data theft or business interruption.