Who do you rely on to keep your data safe? If your answer is your information security team, you’re only half right. Because everyone can cause a security incident (and insiders, either accidentally or deliberately, are the biggest cause of data breaches), information security is everybody’s job. Making everyone realize that requires deliberately creating a culture of information security.
Obstacles to a Security Culture
There are two main obstacles to creating a security culture: your management and your employees.
Management often gives lip-service to the need for information security, but doesn’t practice what they preach. Executives are likely targets for phishing attacks, but they’re often exempt from security awareness training. Many still share passwords and rely on administrative staff to generate reports and access online systems for them.
Employees see management not practicing safe computing, and reasonably conclude it isn’t really a top priority. The security training they receive is often boring or superficial. Their direct managers often emphasize getting the work done, even if it means taking security shortcuts.
Both managers and employees usually understand information security to mean technology that prevents data breaches. Building a security culture means changing that understanding; if you define information security as being about reducing risk rather than preventing a breach, it is easier to see how it’s everyone’s responsibility.
Learn more in Don’t Let These Obstacles Get in the Way of Your IT Security.
Talking About Information Security Is Key
Although much security training is ignored by employees, having conversations about security is key to changing awareness and attitudes. Look into new ways to make training for interesting and more impactful; the “gamification” of training rewards employees for the effort they put into it.
It’s also important to not only teach employees about strong passwords, but explain why they matter: what are the risks and consequences when poor security practices enable a breach. It also requires having a clear process by which employees can report suspected phishing attempts or other security incidents.
In addition, provide tools and processes that help employees use safe computing practices—but use them wisely; restrictions in places where they don’t really make sense will lead to employees searching for workarounds. Have a strong password policy, and give employees access to a password manager so they don’t write them down. Make sure you have an efficient process to grant employees access credentials so they don’t need to share them.
Learn more in The cybersecurity employee training checklist.
Security Isn’t One and Done
The most important way to make security a part of your culture is to make it clear that it’s an ongoing process—employees haven’t fulfilled their security responsibility simply by attending a once-per-year presentation. Have fun quizzes and security tests throughout the year, with rewards for employees who do well or who report potential incidents.
Make your security culture even more effective by deploying security tools that support safe computing practices and reduce the number of threats that get near your employees. CCS Technology Group provides security services that help employees keep your data safe. Contact us to learn more.