Every organization across every industry is worried about information security. Another attack takes place nearly every day — often resulting in the exposure of consumer records or threats of attackers using data to extort money from organizations.
While there is no silver bullet for companies to protect themselves from a security breach, there are several things that will help build and support a strong security culture.
Here are seven security culture dimensions and tips for helping employees protect data.
This dimension involves the feelings and beliefs employees have toward security protocols and issues, which employees tend to see as necessary evils. Why? The way data security issues are handled in many organizations puts the IT department and workers into adversarial camps. Employees are viewed as malware-laden link-clickers, while IT is the reigning protector of data with the thankless job of cleaning up employees’ messes.
This adversarial view helps nobody. IT and security staff often feel like babysitters, and the rest of the organization views them as controlling overlords.
Establishing a solid security culture requires changing people’s attitudes from resentment to understanding and, ultimately, to compliance and cooperation.
To remedy this, start at the top of the organization. Attitudes about security and data can’t be changed without top-level agreement that cyber is a major risk. Senior executives need to make it clear that data security isn’t the sole responsibility of the IT department, but of everyone in the organization. All employees can protect or put company data at risk.
Tip: Don’t make assumptions about employees’ attitudes. Monitor their attitudes by collecting data not just on what they know, but also on their preferences and opinions related to data security. Then, work to close any gaps.
The actions and activities of employees have direct or indirect impact on the security of the organization.
Attitudes drive behaviors. If employees believe data is important and they play a role in protecting it, then their behaviors will reflect those beliefs. Behaviors are expressed as both those things employees do, as well as those things they don’t do. Examples of employee behavior include how they act toward password management or phishing.
Tip: Psychology teaches us people respond positively to rewards and negatively to sanctions. Instead of focusing on what employees do wrong, consider implementing a system of reward for those who demonstrate positive security-related behaviors. For example, formally thank employees for specific security behaviors they have exhibited during a meeting.
This involves employee understanding, knowledge and awareness of security issues and activities.
Nothing prompts behavioral change like having a clear understanding of the reasoning behind desired behaviors. For employees, understanding how data security affects their personal lives and the lives of their loved ones can generate aha moments that drive positive security behaviors.
Employees who adopt a more secure mindset at home will immediately begin making better security decisions at work. Other employees will observe and, ultimately, emulate their behaviors and actions.
Tip: Don’t just focus on the importance of data security in the workplace. Help employees understand how they are personally affected by poor data security decisions. This can be particularly powerful in today’s hybrid work environments.
High-quality communication channels promote a sense of belonging and provide support for security issues and incident reporting.
Data security-related communication is often dry, full of jargon and conveyed in a punitive tone. The channels used are usually limited and based more on the communicator’s channel preferences than the preferences of those being addressed.
Tip: Keep it simple. Ambiguity and complexity are enemies. Watch language, and be sure information is being presented in a clear and simple way. Use different communication channels to ensure the message conveyed is received by as many stakeholders as possible.
This dimension involves employees’ knowledge of written security policies and the extent to which employees follow them.
Cybersecurity requires compliance with policies and practices designed to protect company data. Unfortunately, having an annual compliance training is unlikely to increase compliance.
Tip: Inform employees regularly about how their behaviors and actions affect security. Try incorporating gamification into trainings. This strategy will make the experience more meaningful and increase the likelihood of positive change.
Norms involve the knowledge of an adherence to unwritten rules of conduct in an organization.
Every organization has certain shared beliefs — or norms — that drive behavior. It’s the “this is how we do it around here” type of sentiment that influences what employees do or don’t do. A shared norm can keep employees from exhibiting certain types of behavior. Norms are influenced by the following:
- Social circles influence behaviors, both good and bad.
- This is the extent to which people are committed to others in the group.
- Participation in social activities and messages reinforce desired behaviors and values.
- This is the reinforcement of shared values and vision.
These four influences are reinforced through social rewards, such as peer recognition, acceptance and inclusion, as well as social sanctions, such as peer disapproval and exclusion.
Tip: Enlist employee advocates for a program. Social pressure helps support and reinforce security-related values.
How employees perceive their role is a factor in sustaining or endangering the security of the organization.
If employees feel data security is the sole responsibility of IT, they will fail to fully understand their role.
Tip: Ensure employees understand the role they play in protecting data. Educate them about their responsibilities so they can willingly help build a strong security culture.
About the author
Perry Carpenter is the author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. He is chief evangelist and security officer for KnowBe4, the world’s largest security awareness training and simulated phishing platform. He holds an M.S. in information assurance from Norwich University and is a Certified Chief Information Security Officer.