Cybersecurity Solutions and Tactics for Building a Culture of Cyber Awareness
When it comes to cybersecurity, does culture matter? It’s one thing to implement cybersecurity best practices, but it’s another thing entirely to have your whole company actively engaged and enthusiastic about protecting their data and the company as a whole. So yes—culture absolutely matters!
Ultimately, your cybersecurity solutions should become embedded in your culture. Employees must be aware that security is a priority, that the program is sponsored by senior leadership, and that each individual should work in tandem with security tools to help protect the organization’s assets, information, and intellectual property. Keep reading to learn three keys to building a culture of cybersecurity.
Employee Awareness
Your people are your first line of defense! Hackers try to take advantage of peoples’ good nature and lack of technical acumen, so employees must be aware of the threats and the cybersecurity best practices for combatting them.
When a security program is operating optimally, it runs in the background and doesn’t impact employees’ abilities to perform day-to-day tasks. But if employees should hardly notice the program, where does employee awareness fit in?
Security awareness training programs are a great place to start. Employees need to know what is at stake and what is expected of them from a policy and procedure perspective. From there, security leaders need to reinforce what employees have learned. Here are a few ideas for that:
- Run phishing campaigns twice a year to see if employees can recognize these types of attacks.
- Send policy reminders via messages from leadership, newsletters, and posters.
- Set a “clean desk” policy and perform spot checks—but make them fun. When you visit their desk, is their screen locked? Do they have important papers out? If so, leave a ticket. Whether they “pass” the spot check or not, leave a small gift to encourage them to continue their good habits.
Executive Buy-In and Leadership
Security leaders and company executives need to be on the same page in order to set the foundation for a culture of cybersecurity. That means that IT leaders need to get buy-in from the company’s executives. How should they go about that?
First, minimize talk of security tools and focus on business outcomes. For example, let’s say you go to your CEO and ask about the level of exposure to vulnerabilities they want to have. They, of course, want zero exposure, which you inform them would cost $5M as far as patching is concerned. The CEO is not willing to pay that much, so the conversation becomes a risk-benefit analysis. How much exposure is the company willing to take on in order to maintain a reasonable security budget?
After explaining the level of business risk the company would be taking on were they to patch once a week, twice a month, once a month, and so on, the CEO decides they want to have your team perform patches every 30 days. With this level of understanding between the two parties, the executives own this as a business decision.
Second, choose a few key cybersecurity metrics to share with your board. Gartner has identified some of the most recent metrics, including time to remediate incidents, OS patching cadence, the risk to third parties engaged, phishing reporting rates, and recovery testing for core systems. With these key metrics understood, explain what they need to invest in to get the best ROI.
No matter the cybersecurity solution you’re implementing, a cybersecurity-positive culture starts with leadership. So once leadership has bought into the program, it’s time for them to lead the rest of the company the same way. Everything from the leadership’s sponsorship of a cyber secure organization to the messaging surrounding cybersecurity awareness training signals to employees how they should respond.
For example, we once put together a training awareness program for our security managed services clients. As part of this program, we filmed the CEOs explaining why the program was important. This type of visible support of your company’s cybersecurity solutions—along with being involved and ensuring adequate resources are allocated for the initiative—can help foster a culture of cybersecurity. The culture won’t change overnight, but as you constantly reinforce awareness of cybersecurity best practices, it will become stronger.
The Right Tools
Part of building a cyber secure culture is building a cyber secure company! Employees need to know that your organization values cybersecurity enough to invest in world-class solutions. And they need to know that if they make a mistake, someone (or some solution) has their back. Choose tools and resources that protect your environment and users from attackers, such as the following:
Multifactor authentication (MFA): You can no longer rely on usernames and passwords to keep your data safe; MFA is a must! Today, many regulatory guidelines, as well as cybersecurity insurance, require companies to implement MFA. But even if your company is not strictly required to use this tool, it is highly recommended that you do.
User and Entity Behavior Analytics (UEBA). UEBA in Microsoft Sentinel analyzes data logs, including data from users, hosts, IP addresses, and applications, to identify both normal and malicious patterns of behavior. With this analysis, the tool can provide actionable insights into how to respond to potentially malicious behavior. For example, if a user logs in to their account from an unusual location, UEBA would alert the cybersecurity team and suggest how to proceed.
Managed Detection and Response (MDR) programs. Manage detection and Response (MDR) services provide a 24/7 team and plan for detecting and mitigating risk. This allows you to stay ahead of threats and know where your risks are.
Attack Surface Reduction (ASR) Managed Services. ASR is one of the cybersecurity management services ProArch offers. This service implements security controls across Microsoft 365, email, and internet activity so that your data stays secure. At the same time, users can access the tools they need.
A culture-building part of this service is security awareness training and phishing campaigns, which help strengthen the “human firewall.” One study found that after one year of security awareness training, the “average failure dropped significantly across all industries, from an average of 32.4% down to 5%.”
It’s not enough for security teams to independently implement cybersecurity solutions. To create long-lasting improvements, it’s crucial to embed cybersecurity best practices into your culture. By proactively building employee awareness, gaining executive buy-in, and implementing the right tools, you can build a culture of cybersecurity that will protect your people and your organization for years to come.
Learn more about ProArch’s cybersecurity solutions here.