Education, board engagement and communication campaigns build digitally secure organisations

In today's digital age, organisations face an increasing number of cyber threats that can compromise sensitive data and disrupt business operations. While investing in advanced cybersecurity measures is crucial, it is equally important to build a workforce that is cybersecurity aware.

By focusing on behaviour change and promoting a culture of digital security, businesses can significantly reduce the risk of cyber incidents – Information security materials and ongoing awareness campaigns can help build digitally secure organisations.

The rapid adoption of things like mobile working and IoT devices for professional activities has made employee behaviours a massive area of focus for organisations. Staff are now using their own, potentially insecure devices, to log on to work systems, and connect with colleagues and clients. This means more risk from lost devices and weak or shared passwords, and sensitive company data accessed over insecure public or home Wi-Fi.

However, organisations can’t just shut everything down when there’s a risk. And whilst some organisations are turning to zero trust policies, employees still need to be able to open attachments, update shared documents, and pass sensitive information between multiple businesses across a number of locations. As a result, it’s always a balancing act between productivity and cybersecurity, but it’s possible to tip the scales in your favour by managing the behaviours you encourage and criticise in the workplace.

Remember: human mistakes sidestep expensive IT security

Yes, every organisation needs to invest in IT security and hardware. However, we must keep in mind that IT security is a failsafe for the mistakes that your employees will make. Phones holding company data are misplaced, passwords are cracked and shared, phishing emails are persistent and human error is frequent.

Imagine losing $100m because of phishing emails. Surely, no employee would fall for that and surely no phishing campaign is that destructive? Unfortunately for Google and Facebook, between 2013 and 2015, they were targeted by the biggest social engineering attack of all time. Lithuanian national, Evaldas Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimasauskas also set up bank accounts in the company’s name. The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million.

Even though businesses should operate with the mentality that the businesses might always be at risk of a security breach, there are some core measures that all organisations should be taking to ensure risk is kept to a minimum.

Employee education is key

One-off traditional classroom or computer-based training is simply not adequate preparation for employees needing to deal with the hostile, dangerous and dynamic world of cybercrime today. Instead, firms need to focus on ensuring each staff member understands the threat posed by hackers and the benefits of keeping their company secure, not just for their job role, but across the entire organisation.

Instead of occasional training sessions, organisations should look to build a strong cybersecurity culture where employees are capable of not only recognising cyber threats, but also are comfortable in reporting them, or even rewarded for doing so through gamification.

We also encourage conducting behavioural surveys and in-depth analysis of your employee behaviours in order to root out repeat offenders and unaddressed risky situations. Security behaviour assessments can help you to determine if there are particular departments or individuals within the business that aren’t as vigilant as required. Based on the results, CISOs can offer employees personal training, and outline how their direct activity could impact the business’s bottom line. This is key because for employees to really take notice of cybersecurity, they need to realise just how real the threat is, and the consequences for doing so.

However, don’t be fooled by thinking the only way to educate your employees is with training or direct knowledge-based materials. You can encourage and foster a continually improving security culture through a strong example set by C-Suite executives or interactive training methods such as internal simulated phishing campaigns. This can be particularly good for repeat offenders, as they are given an opportunity to engage with IT teams and learn from experience. You also give your employees the opportunity to make mistakes in a controlled environment, with the hope they do not repeat unsafe behaviours after they have been spotted, highlighted, and discussed.

Board buy-in is a must

Embedding a culture of cybersecurity across the organisation is vital but employee security and data culture must be driven from the top down to help prevent attacks. Unfortunately, board members are not always properly educated on the dangers of cyberthreats, so most organisations will need to focus on getting senior executives involved in their security policy.

This is especially important for protecting the business against phishing, as they are often targeted towards a specific individual with the intention of stealing data or installing malware on the targeted user’s computer – the higher-ranking the target, the more damaging a potential cyber attack could be. Spear phishers employ individually designed approaches and social engineering techniques to effectively personalise messages and websites, meaning top executives might find themselves opening emails they thought were safe.

For example, the 2014 cyber attack on Sony Pictures Entertainment, which led to the infamous controversy surrounding the North Korean-focused film ‘The Interview’, started with Sony's top executives being sent fake Apple ID verification emails, which sent them to a phishing site that stole their Apple credentials – which hackers then used to infiltrate Sony’s private network and make off with 100 terabytes of data. This monumental cyber attack devastated Sony, exposed financial records, damaged their reputation, and left a $35m bill.

Boards should increasingly understand that the cyber risks they face represent a critical business and financial risk, not just an IT risk they can compartmentalise. Boards must understand that cyber risk should be included on their risk assessment protocols and budget management discussions. Time, effort, and money should be focused on protecting your information and systems and you can’t get true time, effort and money without board buy-in.

Ongoing communications reinforce security policies

Regular communication plays a pivotal role in keeping employees up to date with the latest cybersecurity trends, threats, and best practices. By sharing relevant information, organisations empower employees to stay informed about emerging risks and adapt their behaviour accordingly. This knowledge helps employees recognize potential threats, understand the importance of security protocols, and make informed decisions while interacting with digital platforms and sensitive information.

Ongoing communication and awareness campaigns provide an opportunity to reinforce organisational security policies and procedures. By regularly reminding employees of the established protocols, organisations ensure that security practices remain at the forefront of their employees' minds. Reinforcement helps to embed these policies into the daily routines and habits of employees, reducing the likelihood of complacency and strengthening the overall security posture of the organisation.

Furthermore, regular communication and awareness campaigns foster a sense of collective responsibility within an organisation. By emphasising that cybersecurity is everyone's responsibility, organisations encourage employees to be proactive in identifying and reporting potential security incidents. This collective approach ensures that cybersecurity becomes ingrained in the organisational culture, creating an environment where employees feel empowered and accountable for maintaining a secure work environment.

Conclusion

Building a digitally secure workforce is imperative in today's cyber-threat landscape. By prioritising behaviour change and instilling a cybersecurity-aware culture, organisations can significantly reduce the risk of data breaches and protect sensitive information. Through comprehensive training, simulated exercises, strong password policies, incident reporting mechanisms, and ongoing communication, organisations can empower their employees to become the first line of defence against cyber threats.

Ultimately, a digitally secure workforce is an invaluable asset in safeguarding the integrity, reputation, and future success of any organisation in the digital era.

If you would like more information about how The Security Company can help you to engage board members and C-suite executives with cyber security ... or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.