Address
1st Floor, North Westgate House, Harlow, Essex, CM20 1YS
Cyber security has become an essential aspect of business and our lives that cannot be ignored.
A lot is at stake if cyber breaches occur – the loss of valuable information, reputational damage and the risk of litigation, to name a few. Therefore, organisations must develop a cyber-aware culture known as cyber security culture (CSC) to keep the risks of cyber security breaches to a minimum.
I will be sharing a list that could be followed for building and improving CSC in organisations. The list is by no means exhaustive; however, it provides a quick and useful guide for senior executives, managers, and employees on building cyber-aware teams and organisations.
The list comes from extensive research that I conducted on behaviours and perceptions of CSC as part of my PhD.
1. Understand The Need
It is essential to understand that there is a challenge. Hackers are targeting the information assets of organisations and individuals. Hence, there is the need for a concerted effort to defend organisations’ information assets. Adequate steps must be taken to foster and continue to improve CSC in organisations.
2. The Driving Force of Leadership Is Required
As the saying goes, everything rises and falls on leadership – this includes CSC! Organisation leaders are to champion the building of CSC. Leadership should promote CSC through their example and by celebrating good cyber security behaviours seen in their organisation. Also, leaders are to provide the funds needed for cyber security initiatives and they are to involve others in activities such as policy creation.
3. The Necessity Of Clear Communication And Engagement
It is not impossible for IT professionals’ expectations to clash with certain user groups’ ethos. Therefore, clear communication, openness, and engagement between the parties are important. Organisations should seek and use users’ opinions, which may be valuable in securing information assets.
4. The Creation Of A Specialist Team/Cyber Security Champions
A selection of users from different parts of the organisation should be involved in activities and initiatives that affect the organisation’s CSC. A team of CSC champions who are closer to the users in their day-to-day operations can be created. The team can promote the expected cyber security behaviours, such as good password behaviour and phishing email behaviour.
5. Training And Awareness
The importance of training and awareness cannot be overemphasised. Employees/users should be trained regularly. They should be made aware of the risks of cyber-attacks, such as social engineering, and adequate training should be provided to mitigate the risks.
6. Measure In Order To Improve
With measuring change in cyber security behaviour, it is possible to truly assess the progress that has been made over time. While it may be difficult to measure CSC, a way around this challenge is to measure the observable aspects of CSC. Examples of these aspects are training update, training over time, and incident reporting.
7. Continuous Improvement
Continuous improvement should be a constant focus in fostering CSC in organisations. Policies and processes are to be reviewed from time to time. Important questions are to be continuously raised. For example, does the policy address the security behaviour that needs to be changed among employees?
A proactive effort in following the aforementioned steps will help organisations to build a cyber-aware culture needed to protect their information assets.
Users will feel valued and identify with their organisation as their involvement contributed to the creation of the cyber-aware culture. Hence, the users will continue to show their commitment towards the improvement of the CSC in their organisation.
