Integrate security awareness into company culture

Today columnist Mathieu Gorge of Vigitrust says security awareness training must come from the top or it will fail. (Credit: Getty Images)

A recent white paper from Osterman Research highlighted the relationship between the time employees spend on security awareness training and the role they see themselves playing in the layers of defense in the enterprise. He went on to say that regardless of the training program, cyber responsibility must come from the highest level – the C-suite and the board – or it will fail.

Companies should take these warnings seriously.

C-level executives are typically more concerned with the time it takes to deal with cyberattacks than the time it takes to provide their staff with successful security awareness training. It is necessary for both employers and employees to see the situation in this way: if employees receive good training in workplace safety, they can also better protect their own personal data at home. Plus, if they make a habit of securing their own data, they’ll protect company and customer data when they get back to the office. It’s a win-win situation for the whole organization.

Today’s safety culture

The existing security culture in most companies focuses on the use of corporate devices: what workers can and cannot do via email and social media, what websites they are allowed to visit and how much time they can spend on a non-work-related computer. activity during working hours. Organizations that have been breached usually also offer detailed technical training; they will teach staff about the CIA (confidentiality, integrity, availability) – that’s fine, but only the bare minimum that employees really need.

Most regulatory standards such as PCI, CCPA, and GDPR require companies to train staff upon hire and annually on security risks, incident detection, and systems use. However, the culture of safety really depends on what senior management does to create that accountability.

Cyber ​​accountability means that an organization can trace every data transaction that takes place on its systems, so that if something goes wrong, it can report who entered or received access to the data and what they did with it. .

The Five Stages of Grieving Cyber ​​Responsibility

Cyber ​​responsibility has to come from the board and C-level executives, but when we try to discuss the topic with them, we often come across what I call the five stages of grieving cyber responsibility:

Denial: “It’s not our problem! We are here to increase shareholder profits, create jobs and add value.

Anger: “Leave us alone! We’ve already hired a CSO and purchased a security training program. Go talk to our compliance officers!

Negotiation: “Okay, we see our competitors being hacked and then audited by regulators. We will hire a reputable company to do an assessment that we can use as a roadmap.”

The Depression: “HUGH. I can’t believe we have to establish security processes, install technical solutions and train our users. But alas, we have to.

Acceptance: “Actually, it’s not rocket science. We can do it!”

The five pillars of cybersecurity

The Five Pillars of Security Framework that we developed has become well-known, easy to use, and enables companies to determine the level of cyber maturity of the board of directors and key decision makers. To determine how secure a business, organization or government agency is, businesses simply need to look at five common denominators that affect them all: physical security; peoples’ security; data security; infrastructure security; and crisis management.

When you ask the C suite about the readiness of each of these security categories, instead of asking it to choose between “It’s in place” or “It’s not in place”, give it options such as “I’m absolutely sure”, “I think so”, “I don’t think so”, “I don’t know”, “I don’t care”, and “It doesn’t concern our business.” If their answers are too often “I don’t know”, “I don’t care”, or “This does not concern our business”, this should set off a red flag. Everyone must add value to security awareness and accept cyber liability.

In short, involve all stakeholders across the five pillars to create a good security culture, and also provide security awareness training to all staff.

Make training fun

Be sure to stress safety regularly. Two events each year are perfect for this: Global Security Awareness Month in October, when many events and trainings are held around the world; and Global Privacy Day on January 28. But companies can also take advantage of other occasions that include teamwork, such as Global Diversity Month in March or March 8, which is International Women’s Day. All of this provides great opportunities to refresh employees on what the business wants to do and what a culture of cybersecurity means for the organization.

I also recommend making security awareness fun and memorable. Gamify the training or turn it into a team building exercise. Create a fun quiz with rankings and prizes offered to different teams. Maybe the top five winners would get a small token prize from the company or a PTO day.

Make regular security awareness training an important part of the organization’s security culture. Finally, consider cybersecurity as a journey, not a destination: let’s make it fun.

Mathieu Gorge, Founder and CEO, Vigitrust