This week’s Ask the Expert is answered by Oz Alashe, CEO of CybSafe.
Ask the Expert: How can an organisation build a solid cyber security culture?
To develop a robust cyber security culture, businesses should do three things.
First they should encourage open dialogue so everyone talks about cyber security concerns in a constructive manner. Cultures of blame, where users are punished or shamed for clicking phishing emails, aren’t at all helpful. People are successfully phished for a variety of reasons – their emotional state, their personality, the quality and apparent authenticity of a fraudulent email – and acting negatively towards staff doesn’t change or reduce these drivers. Accusations only dent the relationship between employees and security at a time when IT teams need employees to trust them and to approach them with concerns, suggestions, and information about possible data breaches. Ultimately, staff need to feel comfortable talking to other staff about cyber security.
Secondly, businesses should ensure that role models and influencers set a positive example to the rest of the business. Behaviour is often predicated on the actions of immediate colleagues, and that’s particularly true of those in more senior positions. In other words, it’s vitally important that the C-suite and upper management set a good example for everyone else when it comes to cyber security.
Thirdly, it’s important to ensure that values actually correspond to practices. I come across many business leaders who tell me that security is at the heart of what they do and that it’s a business enabler – but their training will consist of a security manual that is long and not commonly referred to, containing rules that conflict with what’s actually undertaken by the people who work there. It may seem like an obvious point to make, but it’s important to turn words into real-life action. Rules and values don’t matter if no one pays attention to them.