Year in and year out, cybercrime siphons trillions of dollars from the global economy, disrupts millions of organizations and forces thousands of companies to go out of business. By most accounts, up to 90 percent of cyberattacks are the direct result of human error. Yet these incidents often elicit no more than a collective shrug from the boardroom to the breakroom. Why? Because too many still consider cybersecurity to be entirely an “IT problem.”
For example, one recent survey found that 30 percent of employees do not think they have any responsibility for helping to maintain their company’s cybersecurity posture. Most said they probably wouldn’t even bother to report a security incident. When asked why, 25 percent said they don’t care enough about cybersecurity to mention it.
Meanwhile, the vast majority of IT professionals say C-suite executives are similarly indifferent. In a recent global study, 90 percent of respondents said company leadership would sacrifice cybersecurity to improve productivity, and 82 percent said they’ve felt pressure from higher-ups to downplay the severity of cybersecurity risks to board members. Additionally, half said many C-suite executives don’t even try to understand cybersecurity because they consider it an “impenetrable technology issue.”
Given the financial and operational burdens created by cybercrime, it should be evident that cybersecurity is now everyone’s responsibility. Whether you’re in shipping, sales, human resources or management, a single successful cyberattack could put you out of a job. Consider the case of Lincoln College in Illinois. Five months after a ransomware attack obstructed access to all institutional data, the college announced in May 2022 that it was closing permanently after 157 years of operation, leaving nearly 1,000 staffers unemployed.
To counter the growing threat landscape, organizations must take steps to establish an organization-wide cybersecurity culture. Doing so requires cooperation and commitment among technical staff, line of business employees and company leadership. Here are some of the practices that can help companies develop a more robust security posture.
Encourage Executive Involvement
Leadership sets the tone in any organization, so work with management to ensure cybersecurity gets the attention it deserves. Provide solid information that’s free from industry jargon and offer clear, logical solutions and suggestions.
- Conduct regular meetings to outline the current risk profile for each department based on current practices and potential vulnerabilities.
- Keep management abreast of emerging threats and their potential impact.
- Describe incident response plans, including processes for mitigating attacks and recovering affected systems or data.
- Be prepared to demonstrate the bottom line benefits of cybersecurity spending.
Cyber incidents frequently result from employees who click on infected links or emails, unintentionally mishandle sensitive data or commit policy violations with “workarounds” to make work easier. Security awareness programs are essential for correcting such behaviors, but keep these three guidelines in mind:
- Be consistent. Research indicates that employees who receive monthly training show marked improvements in their ability to identify social engineering and phishing techniques.
- Make it interesting. One study found that users are 13 times more likely to make fundamental changes in their security practices when they consider training to be interesting.
- Keep it simple. Remember that users are not security experts. Make training materials easy to understand and implement user-friendly security controls that don’t make their jobs more difficult.
There’s no simple playbook for building a strong security culture. It’s an ongoing process that requires regular emphasis and continual education. If you’re not sure where to start, give us a call. We can work with your IT team to develop and implement techniques for encouraging organization-wide adoption of good cybersecurity practices.
January 24, 2023