Here’s a few tips on building, communicating and leading a positive cyber security culture in your business.
Build positive security habits
Decide what cyber security actions you want your people to take. These could include:
- quickly reporting messages that might be phishing attempts
- raising an incident report when their systems or devices are not operating as they expect
- using long, strong and unique passwords for each of their accounts
- updating their devices as updates are available.
To make it easy for people to take these actions you should have clear, easy-to-action information and processes inside your business. It might also involve having tools available to help people take these actions. These might include:
- turning on external email warning notifications that prompts people to check where the message is coming from if they have never interacted with that external email address before
- having a single phone number, email address, or tool that is easy to use to contact IT support
- providing a password manager that is easy to use and can generate unique and long passwords, and store them safely.
Communicate your expectations and values
Once you have the right tools and processes in place it’s important to make sure your people know what they are, how to use them and why they’re important. It can be beneficial to have a regular programme of reminders and demonstrations.
Defining and displaying your cyber security values somewhere where the whole team can see them is a good start. Your values will depend on the type of business you are but for example:
If you are a technology business, your cyber security values may be centered around:
- including security in the early design and planning of your software
- never pushing out a change or new feature that has a high risk security problem
- putting the privacy of your customers and their data first.
If you are a service business, your security values may be focused on:
- keeping customer data safe and confidential
- prioritising securing your devices and systems that store customer data to make sure the data remains secure.
Your values could be included in your on-boarding process for new staff, in your performance framework, and should be communicated on a regular basis. They should also be a part of your cyber security policy.
Lead by example
It’s not enough to have just tools, processes, and values. To really shift cyber security culture the values and actions you want people to take need to be demonstrated, especially by those in management or leadership positions. Creating a positive cyber security culture is local, and it’s largely influenced by the leaders and people in charge.
Business owners and leaders need to lead by example, and this means not contradicting the security values that you have set for the organisation and publicly participating in positive security actions. No action is too small when it comes to leading by example. If your leader is presenting from their laptop and their computer reminds them it is time to reset their device to install security updates, it can be quite damaging for them to laugh it off and say time to snooze that alert for another week. This sends the message that leadership and management don’t take security seriously, and they would have missed an opportunity to say to the team looks like there is an update available. I will update mine right after this presentation - be sure to check your own devices when you get back to your desks.
Promoting a positive cyber security culture takes time and effort but it’s well worth the investment.