Tips for Creating a Company Culture of Cyber Safety

Cybersecurity professionals will tell the public until they are blue in the face how important cybersecurity is for businesses of all sizes. Many businesses, particularly those which have encountered a cyber attack, have implemented things like trainings or posters around the office to try and promote these cyber professionals' guidance to no avail. While these small steps can get employees thinking about cybersecurity, it is important to go beyond this and create a company culture with cyber safety at its core.

• Establish policies and procedures -- Setting clear guidelines and expectations is key for the success of any project, and that's even more necessary for a subject like cybersecurity which can be difficult for many employees to understand. Outline best practices and be sure that the policies are clear and helpful in making sure employees are able to take preventative measures to avoiding cyber risks as well as guidance on what to do if they suspect a cyber attack has already occurred.
• Regular trainings -- Ensure that the procedures implemented include not only a new hire training on cybersecurity, but regular trainings that allow for employees to sharpen their skills and learn about new emerging threats. Though the basics should always be included to reinforce them, also be sure to update these trainings each time employees have to take them to keep up with new tips on cyber safety.
• Provide employees with the resources needed to succeed -- Employees are only as strong as the tools given to them. When creating the formal polices and procedures, be sure to also provide employees with the resources necessary to help them succeed. This includes the aforementioned policies, procedures, and trainings but also hire a dedicated team for IT and cybersecurity assistance. If employees have a real person they can contact when they are having security issues, they will feel more comfortable being honest about issues or concerns they have; this comfort helps for employees to be more confident in supporting the company's cybersecurity approaches.
• Fake phishing emails to test cyber literacy (safely) -- When employees know they are being tested, they are looking for flaws or oddities in something, but testing them by sending a random email when they are least expecting it tests their real world application of the skills taught in these various trainings. One test many companies have implemented in between the regular trainings are fake phishing emails to try and get employees comfortable in real life security situations that do not have the real world implications of an actual cyber attack. If employees succeed in identifying the phishing attempt, it may be beneficial to reward them with something to make it meaningful to have done so. For those employees who fall for the attack, take time with them one on one to emphasize the importance of cybersecurity and how to identify such a attack in the future. Phishing attacks are some of the most common entry points for other, larger scale attacks and having a strong defense in educated employees is a major benefit to your company.
• Talk about cyber incidents & learn from them -- An issue with cybersecurity is that there is a stigma about talking about it in the workplace. Cyber attacks and security incidents happen all the time, yet most companies do not approach the review of these attacks with transparency. Being open and honest about cyber incidents allows for questions to flow and conversations to be had -- this creates a learning opportunity for employees and creates a transparent, communicative workplace.
• Managers, walk the walk -- This is all important information for employees, but the culture of any company is highly influenced by how executives manage. A big piece of being a good manager is setting a good example for your employees. Be sure to set a strong cybersecurity example by doing these things listed above and more.

Employees have the potential to be your company's weakest link and greatest cyber threat or, with the right company culture promoting strong cybersecurity, your greatest asset and strongest defense.

Image by rawpixel.com for Freepik.