Whilst Cyber security policies and training undoubtedly play an important role within an organisation’s cyber security strategy, as threats continue to become more sophisticated and cyber-attacks become more frequent, it’s clear that merely relying on policies and periodic education sessions is not always enough. As the number and scale of cyber-attacks continue to increase, it’s clear that organisations need to do more to ensure that they are protected.
To find out more about how organisations can foster a robust security culture themselves, we went along to the North West Cyber Security Cluster’s (NWCSC) ‘How to Build a Cyber Security Culture’ event, organised by Manchester Digital. The panel brought together experts from companies who have demonstrated success in creating and maintaining effective security cultures. They offered invaluable insights into their proven methods and gave attendees the opportunity to ask questions and share their own experiences.
As a PR agency operating in the tech sector, we work with clients such as Distology, a top-class IT security distributor, to help educate organisations and raise awareness of the importance of cyber security.
In order to provide the best possible service to our clients, we are always looking to further develop our knowledge and strengthen our skills in the sector, and what better way than to learn first-hand from industry professionals. Thank you, Manchester Digital, for putting on yet another useful event on the importance of this issue.
We’ve summarised some of our key takeaways from the discussion on how to build a cyber security culture within your organisation…
Make it personal
When we talk about the repercussions of a cyber-attack, the first thing that comes to mind is the costs incurred for companies as a result. Despite often being eyewatering sums of money, for many employees, this simply does not resonate. Therefore, it is important to educate employees on how a cyber security breach can affect all of us as individuals. If our own personal data is leaked due to a breach, the effects can extend into our personal lives and possibly those of friends and family.
Providing this context to why is it so important to consider secure practices when we’re online, in both a personal and professional, setting is almost guaranteed to hit home harder than figures and statistics. As humans, we’re far more likely to be mindful of their cyber security practices when we consider the impact they can have on our loved ones.
Keep your cyber security policy simple
Not only does the context need to resonate with employees, but the language you use does too. When crafting your cyber security policy, you should aim to keep it clear and concise. An unnecessarily lengthy and jargon-packed document is likely to confuse employees, or perhaps even discourage them from reading it at all. Policies that are written in plain English and get to the point are far more likely to aid employees in their cyber security practices.
The presentation of your policy can also make all the difference. Structuring the text with paragraphs were relevant titles and visual aspects, such as tables defining roles and responsibilities, will also make it much easier for employees to follow.
Not just a tick-box exercise
Speaking of lengthy policies, how many times have you been presented with a policy, that requires a tick in a box to confirm you’ve read it? And how many times have you skim-read it? Many of us have become conditioned to scroll through to the end without giving it too much consideration (think T&Cs!) Organisations that successfully build a cyber security culture go beyond asking their staff to perform a simple comprehension task. Creating a dialogue and having face-to-face discussions about the policy in place encourages employees to engage with the policy and really think about how it impacts their role. By opening up one-to-one conversations, members of your team will naturally ask questions they may never have bothered to if they had just been given a policy document to read, and this could be the difference between them accidentally causing a breach, or not.
Promote a no-blame culture
So, you’ve found your employees’ ‘why’, written an easy-to-understand policy and you’ve had conversations with your staff to ensure they’ve got to grips with it, so what’s next?
One of the biggest takeaways from the session was that very few organisations get it right first time and mistakes do happen (In fact, researchers from Stanford University and a top cyber security organisation found that approximately 88 percent of all data breaches are caused by an employee mistake! (See here). So, even more important than policies and training programmes, is creating an environment where employees feel confident enough to speak up when they think they have made a mistake that has resulted in a breach. Finding out a breach has occurred at the earliest opportunity will allow you to act fast and mitigate the impact, as well as be able to learn from it and change your approach to cyber security if necessary.
While we’re not a company which advises on cyber security ourselves, we can support those within the sector to raise awareness of tech that can help organisations navigate the increasingly busy sector. Interested in hearing more? Get in touch or check out our case studies.