Cybersecurity is the responsibility not only of the IT Department or Top Management but of everyone in the company. The activities that employees do within – and beyond – the walls of the organization have an impact on data safety and system protection. One wrong move, and it may spell breach of critical information which may result to millions of fines and tarnishing of the company’s reputation. This is why having a culture that value cybersecurity is important. But how does one build a Cyber-secure Culture? According to National Institute of Standards and Technology (NIST) of America, a cyber-secure culture has the following five components:
A significant component of culture, mindset is what enables a behavior to persist. Without it, the mandate to be cybersecure would just become a passing notion, entering one ear and out on the other. However, changing the mindset is not an easy feat to accomplish. It will take effort especially on the top management, who has the responsibility in steering the organization towards a desired end. Cybersecurity is not merely a set of rules that leaders can copy and paste but a way of thinking that encompasses actions and policies. The following are a few tips to establish a mindset of cybersecurity:
Leaders drive the organization forward. Therefore, the thrust to embrace a culture of cybersecurity must come from them. They should be the first to champion policies about cybersecurity in the organization, and they should serve as role models by following and observing these protocols. Leaders need not have deep and extensive knowledge when it comes to cybersecurity, but they should be willing to learn and adopt best practices and to work with experts. The following are a few tips for leaders of organizations:
The need to embrace a culture of cybersecurity should not remain in the top management and leaders but should be cascaded down to all levels of the organization. Remember that any person within the company can be an unsuspecting target of cyberattacks. With this, it is important that programs be created and implemented to make everyone in the organization aware and motivated to follow the set protocols and guidelines. Though this will not result to total elimination of risk, but there could be less incidents since people are more careful and vigilant. The following are few tips for training and awareness:
For training your employees, the following video from National Cyber Security Centre of UK can be of help: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available
In order for the culture of cybersecurity to take root, the top management should provide an impression to all employees that the former is serious in its mandate. One way to make this happen is by including cybersecurity metrics in its performance management process. With this, employees will always be reminded that part of their responsibility is to ensure that their actions are compliant to cybersecurity policies and that they won’t do anything that can compromise the systems and safety of the company and its people. The following are few tips in setting metrics:
Technical and system policies are an integral part of a culture of cybersecurity. People, no matter how prudent they are, may commit errors and violations against the organization’s cybersecurity protocols. This might be due to several factors such as stress, ingrained habits, or pressure to deliver results. But whatever the reason, people’s misstep might mean disaster for the organization. This is why fail-safe and fool-proof interventions, as much as possible, are essential to maintain a cybersecure culture. The following are a few ideas:
We at Trinity hope that this article will be helpful for you and your company in the fight against cybercrime. This is why, apart from standard insurance products, we are also offering specialty insurance lines. One of which is Cybercrime Insurance.
Cybercrime Insurance is a protection for liability arising out of unauthorized use of, or unauthorized access to, electronic data or software within your network or business. This insurance will provide protection against claims due to breach of confidential customers’ information and will provide expenses for legal advice in connection with an investigation by the Data Protection Authority.