Cybersecurity Awareness Month: Building a Culture of Cybersecurity in your Organization

October is Cybersecurity Awareness month, but cybersecurity shouldn’t only be embraced one month each year. Cybersecurity needs to be a year-round piece of your organization’s culture.

How do you turn Cybersecurity Awareness Month from a one-time event into a year-long practice, embraced by all of your employees?

As the saying goes, “Security is everyone’s responsibility.”
To build any culture, having an easily repeatable phrase isn’t enough. It must be embraced at every level understanding must be passed along to others with the heart of a teacher.

To ensure you are weaving understanding into every area of your organization, here are a few strategies to build a culture of cybersecurity.

Repetition with Reason is Required

Repetition with reason is required. What do I mean? Repeat an expected security practice with instructions that help your employees to understand,  “What’s expected of me?”, and, “Why are we doing this?”
Knowing how to properly use the technology and why they should be using it is essential for employees to properly embrace it. If they don’t understand why it’s there, employees could view the additional steps of a security measure as an inconvenience. If they view it as an inconvenience and don’t understand its importance, they may side-step those safety measures.
For example, it’s not enough buy an MFA solution, have employees set it up at onboarding, and then tell them, “Be sure to use MFA.”
To embrace the power of MFA, employees need to understand what it is, why they need to be using it, the common mistakes to avoid, and they must also be taught to watch out for the ways bad guys will try to circumvent MFA and take advantage of them.
Much like any security precaution, people need to understand why it’s there, what it does, and how to use it correctly so they fully and properly embrace it.

Provide Ongoing Training and Education

If you want to learn piano, would you sign up for annual piano lessons? Probably not. Visiting a topic once a year does not facilitate effective learning. Not only will you forget a lot, but you’ll also never be able to build upon the previous lesson. You will remain stagnant, forever trying to learn, “Hot Cross Buns.”  Similarly, a single cybersecurity training session, issued once a year, won’t cut it. Cybersecurity threats are an ongoing problem that needs an ongoing solution. If you want employees to keep security top of mind and react appropriately to threats, you need to engage with them regularly. Cybersecurity is constantly evolving, and your team needs to evolve with it. Update employees regularly on the latest threats through training sessions, webinars, or internal communications. Keep cybersecurity an ongoing conversation in your organization. Make it a point to address security measures every time a new process is introduced.
Be sure your leaders lead by example, openly discussing their participation in the training, and set clear expectations that all employees are to engage in cybersecurity training and education.

Foster a Safe Reporting Environment

Employees should feel comfortable reporting potential threats without fear of punishment. Whether someone clicked a suspicious link by accident or received a questionable email, encouraging swift reporting is necessary to mitigate damage.
A popular piece of cybersecurity training is phishing simulations. Phishing simulations are a powerful piece of any cybersecurity training program, only if they are treated appropriately. It’s essential to remember the mission of phishing simulations, which is TO TEACH, not trick. Don’t cross the line like GoDaddy did a few years ago when they got into hot water for phishing their employees with a campaign that promised holiday bonuses. Now, you may be thinking, “That’s not so bad, because wouldn’t the bad guys tempt people with that exact type of offer?”
Yes, bad guys do tempt people with fake offers like holiday bonuses, however, it was a problem that GoDaddy’s team used too much insider access and capabilities. Instead of making a ‘phishing email,’ they basically created a real email that was sent internally to the company. This crossed the line from ‘intending to teach’ and mutated into ‘intending to trick’ their employees.
Another temptation is to test people with phishing simulations and then punish them. Instead, if you want employees to improve their abilities to catch and report suspicious emails, you need to provide specific education for identifying the areas of an email that indicate it is a phishing scam.

Additionally, to create a safe environment that encourages reporting, be sure to thank people for reporting suspicious activity or mistakes!
If your employees ever go to your IT team to report, “I think I may have clicked on something I shouldn’t have.” and they’re met with shame, there’s no way they’re going to want to report something ever again. 
Shaming employees for reporting mistakes creates a culture of hiding. They won’t report it for fear of getting in trouble, and as a result, the bad guys may get the time they need to penetrate and hide in your systems, ready to wreak havoc.

Instead, thank employees for reporting suspicious activity and/or mistakes. One of the best ways to reinforce the principle of “Security is everyone’s responsibility” is to ensure that it is appreciated when your employees take the necessary steps to find and report potential threats, even if they found it through a mistake they made.

Leverage Behind-the-Scenes Cybersecurity Technology and Provide Understanding

Investing in the right security tools is crucial. From firewalls to endpoint protection and intrusion detection systems, having a robust technology stack can greatly enhance your security posture. While many layers of your cybersecurity stack may not require much employee interaction, it is still important to provide an appropriate level of understanding of these layers for your employees to ensure the technology can be effective.
Consider email filtering. An employee doesn’t take action to utilize email filtering. It’s an automatic experience that works to filter out potentially dangerous emails. If you have email filtering without understanding though, it can be a big security concern. If an employee knows your organization has email filtering but doesn’t have an understanding of how effective it is, they could be lulled into a false sense of security, thinking that email filtering eliminates 100% of risks and threats.
As a result, they may conclude that everything in their inbox is 100% safe and legitimate, leaving them free to click, open, or download anything they spot in their inbox.

We know this is not the case. No email filter is 100% effective at weeding out every single threat. This makes it essential to embrace education along with the cybersecurity layer of email filtering. In addition to understanding what email filtering is, employees need to also be trained to recognize and report any suspicious activity.

It is important to evaluate every layer of your cybersecurity stack and determine an appropriate level of education for employees. They need a certain level of understanding of what the technology does, what it doesn’t do, and how they must properly embrace it.