How to Create a Sustainable Cyber Security Culture at Your Organization




According to the 2017 Ponemon Cost of Data Breach Study sponsored by IBM, the global data breach cost reduced by 10 percent to $3.62 million. But this is only one side of the story, as the report further states that despite of the cost decline, the size of data breach on average increased by 1.8 percent to over 24,000 records. And that’s massive.

The ever-increasing list of cyber-crime victims includes both reputable and billion-dollar companies like Yahoo, Kmart, Verizon and Equifax. Equifax lost 143 million SSN (Social Security Numbers) to hackers—which is more than ½ of the American population. This poses a serious question to the C-suite level executives across organizations and industries, and that is ‘what are they doing to create a sustainable cyber security culture at your organization to prevent becoming a number?’

Cyber security training for employees at all organizational levels is crucial than ever for business survival, growth and defense. Simply relying on the IT department and technical staff to keep cyber criminals and threats at bay is not a practical, workable or feasible approach in the current cyber-crime situation.

Let’s just say, your strategy for cyber security is only as strong as the weakest link. So, you need to make sure that cyber security is addressed as a responsibility of every employee working. C-level executives must integrate cyber security as part of the organizational culture, so that it’s taken seriously, and not just a one-time event. It’s important to do this now than later because reports suggest that in the next 5 years cyber-crime will become possibly the biggest threat, and the damage cost is likely to hit nearly $6 trillion by 2012, annually.

ISIM — Take the First Step to Laying the Ground Rules

ISIM provides organizations with a centrally controlled and well-managed framework for keeping the sensitive data and confidential information safe. It can be best described as a set of procedures, policies, physical and technical controls that are created to protect the integrity and confidentiality of the information. The framework is created after and on the risk assessment carried across the company. All risks including internal and external are analyzed, assessed and evaluated. Controls are then applied according to the potential and likelihood of the impact of risks identified.

This truly serves as the ground work for protecting not just your business by also clients, stakeholders and customers. ISMS framework can also be certified to ISO 270001 that is a great way to ensure that cyber security policies are rigorously implemented keeping risks at bay while simultaneously giving clients the confidence that their data is safe with you.

Invest in Cyber Security Training and Ongoing Awareness Programs  

A research study from the Journal of the Association for Information Systems, human vulnerability is the top cause of cyber security breaches. Hackers mostly exploit it through phishing emails inducing employees to click and open malicious links or trick them into providing hackers with sensitive data.

Therefore, to ensure that none of your employees fall of these gimmicks or come across as weak links to your foolproof cyber security plan, you need to train them. Your organizational culture should definitely be geared towards developing their cyber security knowledge, habits and awareness through proper and ongoing training and awareness programs.

It has to be ongoing or continuous. This is because annual awareness training is considered as an event rather than an opportunity to improve cyber security on a regular basis. And eventually as time goes by companies relax their security standards which results in recurring issues. So, if you want to create a sustainable cyber security culture at your organization, frequent training sessions and courses are must have.

However, what is important to understand here is that these training programs need to be tailored. For this you’ll have to set your standard for cyber security and then benchmark the knowledge level of your employees for tailored development. This activity can be time-consuming but worth it. The good news is that there are some authentic websites that offer cyber security courses online for people with different knowledge levels. These courses are a great way to get started and ensure a sustainable security culture. Besides this, upon course completion, participants get cyber security certifications. So, you know that they are enhancing their cyber security knowledge, and moving up the learning curve.

Make Things Exciting with Gamification

If your corporate culture is fun and relaxed like Facebook, then consider introducing cyber security as part of your new corporate culture with excitement and through gamification. Consider live cyber security competitions. These competitions have been recognized as both effective and inspirational method of learning about cyber threats, attacks, possibilities and techniques to prevent the risks.

By using the power of a VPN (Virtual Private Network), two teams of eight to ten people are created. It encourages teamwork while heightening the urgency as the game mimics a real life cyber-attack. Teams must defend the attack, resolve the problem, devise a defense approach and protect the data.

The purpose is to instill excitement, encourage teamwork, infuse fast thinking and more importantly emphasize on achieving security in both shortest and most effective way possible—limiting or preventing the chances of damage.

Rewarding Compliant Employees  

Another way to make employees take their role in sustaining cyber security culture is to reward their compliance. After all it takes effort to avoid unsolicited links, phishing emails, and malware ridden websites. You can award their compliance through cash rewards or incentives—whichever will keep them motivated, and active in ensuring cyber security.  

About The Author
Muzzammil
Product Manager at QuickStart

Muzzammil Hanif

With over 8 years of experience in the IT industry, Muzzammil is a tried and tested expert at product management. He has a special interest in InfoSec related certifications and courses, and has his finger on the pulse of the latest developments in the cyber security industry. When he is not working, he likes to watch movies and spend time with his family.