Why a Culture of Awareness and Accountability Is Essential to Cybersecurity

Effective cybersecurity relies only in part on technology. Even as tools and systems become more powerful, avoiding security mishaps is still largely dependent on people doing the right thing. From following best practices for updating and patching systems and software to knowing and understanding the everyday risks posed by phishing emails, malicious websites, or other attack vectors, everyone — not just the dedicated IT/security professionals — has some level of responsibility for cybersecurity.

The organizations with the best chance of minimizing threats are those that build and sustain a culture of awareness and accountability. Here are some ways to do that:

• It starts at the top: There is no substitute for having a leadership team that is bought in, sets the right tone, and leads by example when it comes to building a culture of cybersecurity accountability. Employees pay attention to what leaders do and listen to what they say. Members of the C-suite should regularly talk about the importance of cybersecurity in company-wide meetings, reinforcing the message delivered by the security team and both recognizing and encouraging participation in security training.
• Elevate the mission: For people to grasp why cybersecurity matters, they must understand the real consequences that can follow from a successful attack. What would it mean to the organization’s business operations, revenue, or reputation? By using real-life examples, you can drive home the impact that a breach could have on their day-to-day work life and even their very livelihood. Understanding the mission and the consequences will provide the context for the organization’s security policies and the importance of every employee adhering to them.
• Be transparent and plain: Being open and transparent with staff about what the security team is doing and why will help to build the trust that is so crucial to an effective defense. And remember that while your colleagues are smart and proficient in their roles, they’re not cybersecurity professionals. Jargon and acronyms will only confuse and/or bore them, making it more difficult for the message you’re trying to communicate to resonate.
• Promote an “all day” security mindset: Cybersecurity risks don’t go away when the workday ends. Make sure everyone in your organization understands that the same practices they use for work can help keep them safe on their own time. Moreover, ensure they’re aware that attackers see home networks, personal devices, and even personal email as viable vectors to attack corporate networks.
• Take the drudgery out of training: Cybersecurity is very serious business, but training can still be fun and engaging. Get the audience involved, use play, and create an atmosphere that encourages learning. Reward employees who actively participate and embrace the training or who demonstrate that they’ve learned from it (by, for instance, reporting suspicious emails).
• Keep it positive: The reality is that no matter how effective your training is, people are going to make mistakes. But rather than being punitive, focus on providing constructive feedback. If people fear the repercussions of making a mistake, they’re less likely to be timely and honest about reporting them.
• Be receptive to feedback and help: A strong culture of cybersecurity depends on open communication across the organization. Make it clear to everyone that the security team wants — and needs — to hear from them. Whether it’s something formal like an information security council with stakeholders from all departments or something simple like a suggestion box, it’s important to show that feedback from all stations is welcome. Giving people outside of IT a voice gives them a stake in the mission and a deeper commitment to its success. And you never know what great, new ideas those outside perspectives might bring to the table.

The job of cybersecurity isn’t getting any easier. Smart attackers increasingly target people first, not systems. To be truly safe in this environment requires an “all-hands-on-deck” culture of cybersecurity awareness and accountability. Everyone, no matter their role, should understand both their responsibility and their potential to make a difference.

If you’d like to keep current with the latest cybersecurity trends and best practices, visit the WatchGuard Corporate Blog.

Comments are closed.