What happened to the good old days where companies could build high (fire)walls around their systems, perhaps add a moat and a few security landmines, and then only have to react when an alert was triggered? Nowadays companies have to worry about whether someone accessing the company system is who they say they are, is accessing what they’re authorizsed to, and aren’t doing anything they’re not supposed to.
Cybersecurity has become much more complex, and this is not just because of hybrid and remote working. Threat actors have jumped on the old Trojan horse concept, recognizing that it’s much easier to steal what they want from inside the security permitter than spend time and effort breaking through it. Phishing emails remain one of the biggest threats to cybersecurity, regardless that they’re a well-known method of attack. Too often employees get duped into acting on instructions believing the emails are legitimate. They give away access, while threat actors smile and happily hack.
This highlights an important reality. It’s not enough to have a strong IT security department. Every employee represents a security risk. Education and training are only as effective as employees remembering what they’re taught. With this in mind, how can companies engage with employees so that cybersecurity becomes embedded as part of the company culture?
The UK’s National Cyber Security Centre recently published guidelines to help companies do just that. They highlight that it’s a common challenge and the reason why most companies default to prioritizing security products and services. However, there’s the universal acknowledgement that cybersecurity is a fundamental element of business success. If hit by an attack, it has the potential to entirely derail the business, wipe out customer trust, brand reputation and profits. It simply makes sense to have a strong cybersecurity culture.
Getting employee buy-in requires making cybersecurity relevant to employees. They need to understand the risks, to the business and to themselves, and that strong security underscores business success. So often security is seen as a hinderance to efficient work flows. If companies want to get employee buy in, they need to take this into consideration. If security measures frustrate employees, they’ll simply find ways to circumnavigate them – which then puts company systems at risk.
Security also needs to come with a level of trust. This is built by discussing security in terms of learning and experiences rather than assigning blame. When employees feel safe asking questions or reporting problems it builds a stronger security culture. They then recognize that they have a proactive role to play in ensuring that systems are kept safe.
There also needs to be recognition that cyber threats and attack paths are constantly changing. Adaptability requires a positive and proactive attitude towards change from both management and staff. When new security policies are implemented, they need to be accompanied with adequate support. If there are impacts to the workforce, having a way to report this without condemnation will go a long way to builder greater security resilience.
The takeaway is that while cybersecurity may be all about tech, it still needs a human approach. One that empowers and enables employees if it is to become part of the company culture.
