Maksim Pasko - Fotolia

What changes are needed to create a cyber-savvy culture?

PA Consulting's Cate Pye considers the people and process changes that are necessary to build a security aware business culture

New opportunities are appearing at breakneck speed in today’s technology-fuelled world, and organisations that are able to adapt and seize these opportunities fastest are winning market share and competitive advantage.

In this race to be first, organisations have to build a security culture that enables them to test that what they are doing is safe and commercially worthwhile.

Many organisations have already invested in their systems to protect them from cyber attacks, with the increasing numbers of these attacks meaning cyber security is now on the board agenda

But anyone delivering an IT programme knows that the systems only work if they are used in the right way. With 64% of breaches caused by non-malicious human error, it is clear that just getting the right systems won’t provide sufficient protection.

What is needed is a similar approach to embedding a culture of cyber security to that taken, a few decades ago, to drive improvements in health and safety expectations. 

From displaying visible metrics on the shop-floor wall to introducing rules ranging from use of ladders to not carrying hot drinks up and down stairs, engineering and power industries made clear which behaviours were expected and which would no longer be tolerated.

Bring IT to the board

In cyber, this starts with the board providing both advocacy and demonstration of good cyber practices, and discussing cyber security at board meetings. Leaders must adhere to good cyber behaviours themselves and not be tempted to break the rules everyone else has to follow, either just for convenience or because they think they’re different.

It is not okay to send emails to a home email account, to ignore patching prompts or to have a weak password. The reality is that senior people are more of a target, and by ignoring their own policies they undermine all the good work across the organisation by sending a message that implies “we say this, but we don’t really mean it”.

Putting cyber on the agenda at board meetings can start to demystify it and build a common language between the business leaders and technology leaders. There is often a mis-match between the level of confidence these two groups have in their cyber security and how they prioritise investment.

Having a regular board slot to talk about the business impact of cyber security and to understand the opportunities and threats the organisation faces creates a common view and understanding of what cyber security is needed to open up those new opportunities. It also means that if an incident occurs, board members feel better equipped to answer the questions they will inevitably be asked. 

In general, telecoms and consumer-facing organisations often discuss cyber security at board level and are likely to have a board member with responsibility for cyber security. Others, especially those in energy and infrastructure organisations, should learn from this.

Empowering employees

For employees, it is important to build an environment in which they understand why cyber security matters, feel empowered to make changes for the better, call out poor behaviours, and take pride in the fact that their organisation is good at cyber security.

Today’s employees would be shocked to work for an organisation with a poor health and safely record, tomorrow the same will be said of cyber security. Giving employees training to know what they do need to worry about and do (and what they don’t) helps them to focus on what matters. It also builds their confidence and knowledge so that the efforts of the cyber security team are amplified by the whole workforce.

Processes that encourage compliance are essential, but these need to be convenient. It has to be easier to comply with the right process than to find workarounds – we are, after all, human. That should reflect a mixture of streamlining good processes and introducing delays into bad workarounds.

This is the theory behind the CyberNudge interventions which work with human nature by building in frequent “nudges” to help people do the right thing. Most people respond to a helping push in the right direction, but struggle to remember exactly what the training course they did a few months ago told them to do – particularly when they’re in a rush or up against a deadline. 

Nudges are tailored to the organisation and can range from needing an extra click to open an attachment to slow down the thought process, to a pop up or blog on news stories about breaches that is streamed to people’s smartphones.

Establishing these people and process ways of working as the norm creates a culture across the organisation where people expect each other to do the right thing. Once these levers are understood, the systems can come back into play to reinforce good behaviours and underpin the new processes. 

This enables the organisation to respond quickly to new opportunities knowing that the people, processes and systems are mutually supportive and alive to the potential risks, as well as the upside, of technology-enabled growth.

Read more about security awareness

Read more on Security policy and user awareness

Data Center
Data Management