Building a Cyber-secure Culture
Cybersecurity is the responsibility not only of the IT Department or Top Management but of everyone in the company. The activities that employees do within – and beyond – the walls of the organization have an impact on data safety and system protection. One wrong move, and it may spell breach of critical information which may result to millions of fines and tarnishing of the company’s reputation. This is why having a culture that value cybersecurity is important. But how does one build a Cyber-secure Culture? According to National Institute of Standards and Technology (NIST) of America, a cyber-secure culture has the following five components:
A significant component of culture, mindset is what enables a behavior to persist. Without it, the mandate to be cybersecure would just become a passing notion, entering one ear and out on the other. However, changing the mindset is not an easy feat to accomplish. It will take effort especially on the top management, who has the responsibility in steering the organization towards a desired end. Cybersecurity is not merely a set of rules that leaders can copy and paste but a way of thinking that encompasses actions and policies. The following are a few tips to establish a mindset of cybersecurity:
- Create a sense of urgency in the organization about the need to be cybersecure by highlighting the negative effects of data breach and system failure.
- Include cybersecurity in the enterprise risk management process.
- Establish a process of reporting cyber risk in the organization.
Leaders drive the organization forward. Therefore, the thrust to embrace a culture of cybersecurity must come from them. They should be the first to champion policies about cybersecurity in the organization, and they should serve as role models by following and observing these protocols. Leaders need not have deep and extensive knowledge when it comes to cybersecurity, but they should be willing to learn and adopt best practices and to work with experts. The following are a few tips for leaders of organizations:
- Engage cybersecurity experts, be it external consultants or internally hired, to develop and monitor guidelines and policies on cybersecurity.
- Allocate adequate fund for cybersecurity initiatives.
- Do not rely solely on compliance standards but explore industry best practices and improve according to specific company’s situation.
3. Training and Awareness
The need to embrace a culture of cybersecurity should not remain in the top management and leaders but should be cascaded down to all levels of the organization. Remember that any person within the company can be an unsuspecting target of cyberattacks. With this, it is important that programs be created and implemented to make everyone in the organization aware and motivated to follow the set protocols and guidelines. Though this will not result to total elimination of risk, but there could be less incidents since people are more careful and vigilant. The following are few tips for training and awareness:
- Trainings may come in the form of computer-based learning modules and in-person meetings. These trainings should be conducted on a regular basis to refresh employees’ knowledge and to update them of recent risks.
- Make them familiar with the common types of cyber attacks such as Malware, Ransomware, Phishing, and Social Engineering.
- Orient them on what they should do just in case they think that they’ve fallen victim to a cyber-attack.
For training your employees, the following video from National Cyber Security Centre of UK can be of help: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available
4. Performance Management
In order for the culture of cybersecurity to take root, the top management should provide an impression to all employees that the former is serious in its mandate. One way to make this happen is by including cybersecurity metrics in its performance management process. With this, employees will always be reminded that part of their responsibility is to ensure that their actions are compliant to cybersecurity policies and that they won’t do anything that can compromise the systems and safety of the company and its people. The following are few tips in setting metrics:
- Sample metrics that can be included in performance management process are attendance in required cybersecurity trainings and zero violations of protocols and guidelines.
- Include cybersecurity in one-on-one meetings with employees and direct reports.
- Include cybersecurity incidents in the metric being measured in the company’s dashboard.
5. Technical and Policy Reinforcement
Technical and system policies are an integral part of a culture of cybersecurity. People, no matter how prudent they are, may commit errors and violations against the organization’s cybersecurity protocols. This might be due to several factors such as stress, ingrained habits, or pressure to deliver results. But whatever the reason, people’s misstep might mean disaster for the organization. This is why fail-safe and fool-proof interventions, as much as possible, are essential to maintain a cybersecure culture. The following are a few ideas:
- Ensure that physical security controls are in place throughout the organization such as proper storage of sensitive files and appropriate location access for each employee.
- Protect the data on your devices by using strong passwords, requiring multi-factor authentication, and limiting login attempts.
- Keep your antivirus software up to date.
We at Trinity hope that this article will be helpful for you and your company in the fight against cybercrime. This is why, apart from standard insurance products, we are also offering specialty insurance lines. One of which is Cybercrime Insurance.
Cybercrime Insurance is a protection for liability arising out of unauthorized use of, or unauthorized access to, electronic data or software within your network or business. This insurance will provide protection against claims due to breach of confidential customers’ information and will provide expenses for legal advice in connection with an investigation by the Data Protection Authority.