Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.
getty
If you’ve been reading cybersecurity articles and blog posts lately, you’ll notice that much is being discussed about cybersecurity resilience. Per a recent Cisco report, 96% of executives rank cybersecurity resilience a top priority for their organizations.
But what is cybersecurity resilience? The National Institute of Standards and Technology (NIST) is quoted often and especially when it comes to defining cyber resilience: “Being able to withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
Just as the immune system helps protect against harmful bacteria and viruses, organizations too need to build immunity to not only defend against external and internal threats, but to train people and build the processes and technologies to respond, recover, learn and emerge stronger from cyberattacks, disruptions, leaks and data breaches.
Why Is Cyber Resilience Important?
According to Cisco, 62% of organizations last year witnessed incidents that impacted their cybersecurity resilience. Major incident types included network or data breaches, network or system outages, ransomware attacks, distributed denial of service attacks, accidental disclosure, malicious insider abuse and physical destruction.
The result? Organizations experienced information and communications technology (ICT) and supply chain disruptions, impaired internal operations, lasting brand damage, loss of competitive advantage and recovery costs.
Why Is Culture Key To Cyber Resilience?
The Cisco research revealed that the above-mentioned incident types “almost certainly” involved employees as an attack vector. This included things like clicking on a phishing email, text or bogus URL.
The research further stated that organizations with a strong security culture displayed a 46% higher resilience score in comparison to those that had a poor security culture. Of those reporting poor support from top executives, 39% had lower resilience scores in comparison to organizations with strong backing from the C-suite.
Both these points collectively (executive support and security culture) delivered one of the highest impacts to cyber resilience among the top success factors mentioned in the report.
What Can Organizations Do To Strengthen Cybersecurity Culture?
Security culture cannot be built overnight. It needs consistent and repeatable processes, just like a garden that needs to be watered, fed and nurtured before results start showing. Here are some best practices that can help build a strong and resilient security culture:
1. Treat employees as part of the solution, not the problem.
While security teams have an obvious responsibility toward the organization, non-security staff also have essential roles to play, since they are usually on the front lines of phishing attempts, malware and other security incidents. Train and educate all employees well, in a language they understand, using examples that are real and relevant. Have security discussions freely and openly so that people don’t view security as the exclusive domain of IT, but as something where they can actively contribute and help protect and grow the business.
2. Establish a clear blueprint.
It’s hard to proactively build culture when everyone is using a different type of blueprint. Organizations must therefore clearly and transparently communicate their security program, policies and rationale with the entire organization so they feel responsible and accountable for security.
Per the Cisco report, employees who gave high marks to their organizations (on clearly written and communicated policies, procedures and documentation), had a 27% higher security resilience score than organizations that couldn’t articulate what they were doing and why they were doing it.
3. Gain leadership support.
Culture is infectious and must always start from the top. Leaders and managers have the power to influence people, which is why it’s important they articulate, communicate, demonstrate and promote a positive security mindset and behavior among teams and circle of influence. Cisco data suggests security programs that are tightly aligned to business goals demonstrate 32% higher resilience.
4. Go beyond security awareness.
Organizations must avoid the annual, compliance-driven, check-box approach to security training. Like the posted speed limit we drive past and exceed, just because someone is aware does not mean that they care.
Focus on behavior-changing initiatives such as regular phishing simulation exercises, classroom training and real-time coaching. Give employees direct access to security teams. Understand their challenges, mindsets and security savviness. Involve them in policy making and provide them the tools they need so they feel empowered and motivated. The idea is to develop security as a core value within the organization so that employees develop an instinct for security, which then leads to improved security resilience.
Employees were once considered the weakest link in the cybersecurity chain. Today, it’s quite the opposite. It’s time leaders and security teams recognize this and pivot efforts toward building a mature cybersecurity culture, because only culture holds the power to make organizations resilient in the long run.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
