20th February 2020
To increase the security awareness of the employees in the long term and to build and maintain a cyber security culture, 5 steps should be considered:
Our blog gives you an informal introduction to these steps and subsequent tips, including selected tactics that will lead to success.
When implementing a successful cyber security culture, we focus on three pillars: training, awareness & communication, and implementing a security culture.
In addition to technical cybersecurity solutions, the correct behavior of employees plays a key role. This behavior is underpinned by an active security culture. To understand what a security culture is, we need to understand what the difference between a security culture and security awareness is:
Thus, a culture is more profound than awareness. The culture is internalized in action: people no longer think about it, they just do it.
However, a security culture cannot be created, built and maintained without a sense of security. Therefore, it is important that both topics be handled together.
Depending on whom you ask, the definition of a security culture can be somewhat different. KES has interviewed various security experts in one article on this very issue (KES 2019).
Security culture is part of the corporate culture and thus anchored in it. These are security -related values, behaviors and beliefs, which can each look different, even within a company. Security culture is a cycle: it defines the current state, the potential for improvement, the goals and the monitoring. This cycle is implemented and becomes part of daily life in the company through the cooperation of all persons, from the management level to the employee. Continuous communication is decisive for making this happen. What most experts agree on is the importance of a "climate of trust" so that security can be actively lived. Employees, for example, should not be afraid to report phishing e-mails, be it an incident or a guess. The messages, concerns and concerns of employees at all levels should be taken seriously and supported. One way to encourage this is by examples of appropriate behavior set by the management.
Security must be seen by everyone as a positive and important supplement to (everyday) work. A security culture that is put into practice practiced sensitizes employees to risks, which benefits the company. Therefore, the most central element of security culture is human behavior.
This is where security awareness comes into play, which deals with the training of human behavior.
First, a security culture is actively controlled and supported by the company and its employees. You can always influence and control it when you realize that something is going in a different direction from the one you intended. To do that, you must define what needs to be done. This quality assessment can be achieved using the capability maturity model. You measure, plan and optimize the security culture and then implement everything accordingly.
The Capability Maturity Model makes this assessment based on five levels:
The SANS Institute (SANSInstitute 2019) conducted a study last year to find out what level the companies are at. The result is scary: most companies do not get beyond level 3.
The implementation of a security culture is not only the task of the security team, but of all employees. This is achieved in collaboration with the management and all organizational units.That means that secure behavior is lived from top to bottom and that everyone is enabled to implement it. As the basis, the security department, in cooperation with the other organizational units, develops a security strategy. This includes awareness measures, which form the basis. They are supplemented by instructions and guidelines that need to be understandable, structured and workable to be used.
Rapid technological development in IT has led to a change in traditional forms of work. Behaviors that were without consequence a few years ago (e.g., attaching files to e-mails) can do a lot of damage today.
The role of a security culture is to be able to accompany this change process securely, warding off potential dangers through knowledge. Employees know what threats there are, how they work, and how to counteract them. That is, the basic premises about current and potential future dangers in the process are identified, and, more importantly, integrated into the organizational culture. Only with this kind of integration of security culture can an organization prepare for the unpredictable, proactively avoid or at least reduce damage, and pursue forward-looking development.
The cooperation of all employees in making security culture part of their life makes the job of security officers easier and makes security technology more effective. This will increase the protection of the company and reduce the risk of attacks (read more in our blog article "Information Security Culture: The Socio-cultural Dimension of Information Security Management").
To counteract cybercrime, it is therefore important to adapt the culture of security in a company so that the employees internalize and live the correct behavior. It is important to note here that this culture should not grow in a context of fear, but one of confidence in which employees know they will be heard and supported. To achieve a security culture, awareness must be created. If the employees know how to behave securely, the company benefits, and it becomes more secure.
TreeSolution sensitizes and trains everyone in your company, so that security is anchored in the culture in a structured way – i.e. in the everyday thinking and actions of all employees, right up to the management level. In this way, you protect your information and thus your company from attackers and oversights, economic damage and loss of image.