Cybersecurity culture: Is your company’s fit for purpose?

It has long been recognised that a decent cybersecurity culture is one of the critical defenses a company needs to protect itself (and its customers) against cybercrime. You can have the finest cybersecurity software and policies in place to protect your data, assets and reputation, but if your business lacks a decent cybersecurity culture or you have one but not all your staff are buying into it underpinning these other security measures, or you have one but not all your staff are buying into it, then you leave yourself vulnerable to attack.

Today we’re going to take a look at what a cybersecurity culture is, how the pandemic has turbocharged the need for one, the threats cybercriminals pose to you and your customers, and how you can create a strong cybersecurity culture in 2022 to protect your company from these. Let’s get started…

What is a cybersecurity culture and why is it so important?

A cybersecurity culture isn’t something you can buy, and it isn’t a one-hit, quick-fix solution to fill any IT security gaps your business may have; that’s an IT Policy. Instead, a cybersecurity culture is a custom nurtured and developed over time. It is the attitude and social behaviours of an organisation’s members, formed by your company’s processes, structure and goals. At its core, a cybersecurity culture is a recognition that it’s people that make an organisation secure, rather than technology.

Cybersecurity culture training is just as important as any other course your business may run for employees, yet the UK’s Department for Digital, Culture, Media & Sport’s 2020 Cyber Security Skills report found that just 11% of businesses provide cybersecurity culture training to non-cyber employees, showing there’s some way to go before this security ethos becomes truly mainstream.

Done badly, IT security training can often be confusing to follow and its requirements difficult to apply once staff get back to their desks, with constantly amended, fragmented practices designed to cater for new technologies and ever-changing threats. The implementation of a cybersecurity culture is the responsibility of the company’s leadership team, rather than the IT department, and weaving the ethos into the fabric of a company’s philosophy is the best way of engendering a good cybersecurity culture.

Pandemic turbocharges cybersecurity issues

The pandemic’s arrival in early 2020 caused a (literal) overnight seachange in the way many businesses operate. Remote-working became mandatory for the majority, and the starter gun was fired in a global IT arms race to provide employees with the equipment they needed – including laptops and smartphones – to work from home.

This is when cybersecurity issues increased significantly because remote-working offers great opportunities for cybercriminals. Suddenly IT departments had to contend with employees using office equipment on unfamiliar Wi-Fi networks that may not have the latest security certification or encryption, for example. Similarly, employees using their work devices to access personal email exposed the equipment to phishing campaign scams and, as people started to return to the workplace, there was the risk of infecting office networks with any malware picked up during the lockdown periods.

Remote-working caused some significant challenges for IT departments, who had to face these unfamiliar challenges as they presented themselves. Unfortunately, issues were exacerbated because businesses were largely distracted by dealing with the pandemic’s broader impact, and the Ernst & Young 2021 Global Information Security Survey discovered that 81% of executives included in the survey said that COVID-19 has meant organisations bypassed cybersecurity processes, with an insufficient budget and regulatory complexity considered key challenges.

What are the threats?

Clearly, any company with a strong cybersecurity culture is well placed to combat cybercrime while working in a remote or hybrid system, and employees are trained to spot suspicious cyber activity and deal with it appropriately. The largest threat to a business remains phishing campaigns, and ransomware analytics firm Coveware notes that in 2020 phishing became the most common type of attack used by criminals attempting to access an organisation’s information and data.

Elsewhere, over half of the malware delivered in 2020 was via cloud applications (which many were using in a remote-working capacity for the first time during the pandemic), and email breaches are also common and can result in the loss of sensitive company information and financial loss.

One of the greatest threats to a business’ cybersecurity comes from within. Miscommunication between senior management and the IT department will often mean that those leading the company are unaware of the threat landscape, and the implications of a cybersecurity breach. Educating these leaders to understand the challenges cybercrime presents, and helping them to implement a mature cybersecurity culture is the best way of combating these issues. Let’s take a look at how you go about doing that.

How to move forward with a strong cybersecurity culture

Given the issues that remote and hybrid-working have raised for IT security in the last few years, there’s never been a better time to appraise your cybersecurity culture and focus on improvements as we move into 2022.

What makes a cybersecurity culture unique in IT terms is its philosophical nature. Good communication between the IT department and senior management – who are ultimately responsible for company ethos – is critical in creating a cybersecurity culture, and regular meetings with management to explain the threat landscape, and real-world risks cyber criminals possess, is important to get the leadership team on board. The Head of IT should be a C Level Exec and sit on the board of any company. IT, as a business function, should be elevated in importance to sit alongside Sales, Finance and Compliance and should be viewed as strategically important to a business; not just operationally critical.

Helping employees to understand their part in creating, and actioning, a cybersecurity culture is also important. Training must be more than a box-ticking exercise, and judgment-free support with the practicalities of understanding how to increase company-wide cybersecurity is key. There’s no such thing as a stupid question. Similarly, removing the fear factor of reporting an IT security breach or gap will make employees more likely to help, and focusing on fixing a process over blaming an individual in solving issues will encourage adoption of the cybersecurity culture. An acceptable use document is a great way of helping employees use their work devices and software in a safe manner.

If you’re not sure how healthy your company’s cybersecurity culture is, then a company-wide quiz that focuses on attitudes, behaviours, communication and compliance towards IT will help you to recognise the key issues, and set about plugging any gaps.

The pandemic has meant a significant chunk of the global workforce now operates remotely, meaning there have never been as many people connected to the internet before. This enlargement of connected numbers, combined with the anxiety and stress that COVID-19 has created, provides cybercriminals with more attacking opportunities than ever before, and a strong cybersecurity culture is critical in combating these new threats.

At Dr Logic, we can help you with all aspects of IT security, including engendering a strong cybersecurity culture within your company.