Creating a new Cybersecurity Culture: Why training is the best tool for cyber resilience

By John Davis, Director UK & Ireland at SANS Institute

July 14 2022 - Cybersecurity teams have a tough job. Worrying stats show that, in 2021, there were 50% more attacks per week on organisations when compared to the year before.

There may be a growing chasm in the cyber skills gap, but here’s the truth. Even fully equipped, hyper-alert, expertly trained teams are nothing without the participation of the rest of the company.

Responsibility for cyber defence doesn’t lie solely with the IT or cyber team. This belief is outdated and dangerous as a result. Everyone is responsible for helping limit attacks. Cyber teams must communicate this through implementing a robust cybersecurity culture. Here’s how:

Establish a cybersecurity culture through effective training

Culture is defined by shared attitudes, perceptions, and beliefs. These are the fundamental tenets of a cybersecurity culture too: it is built on security policies, and maintained through the security team’s communication, enablement, and enforcement of these policies.

A strong cybersecurity culture is vital for good defences - but it doesn’t come easy. Organisations are made up of humans, and human error is one of the biggest security risks.

In fact, the 2021 Verizon DBIR reveals that people were involved with 85% of data breaches globally . Therefore, excellent training for the people in any organisation is a necessity. It is most effective when, rather than focussing solely on the threats and challenges, it shows teams the value of positive cybersecurity habits and creates business-wide incentives to encourage these.

Well-trained IT staff and ongoing training regimes directly impact productivity, efficiency and digital resilience of the organisation. Therefore, security skills should no longer be only in the realm of the IT team, because they have significant business benefits. Instead, they should proliferate across the entire business, as the actions of employees have material impact on the organisation’s ability to fight cyber attacks.

Communication is key to a culture of cybersecurity

Over the past couple of decades, demand for certain information technology skills has outstripped supply, leading to global skills gaps. Security skills are at the centre of that conversation, with a significant cyber skill gap seen in businesses.

Accelerated digital transformation and recent geopolitical events are increasing demand for security skills. As organisations increase their resilience to further disruption by relying more and more on digital processes, business models, and products, the security stance of the organisation becomes even more crucial.

As a result, communication is key to ensuring there are no gaps in an organisation’s security posture. That means ensuring employees feel comfortable communicating with the security team if there’s a concern or question, which will ensure any potential issues are tackled as quickly as possible.

Implementing a culture in which team members feel comfortable asking questions about security is just as important as having formal security training. This is a conversation, and we must learn from one another to best our work and livelihoods.

Build digital hygiene into your culture

What does digital hygiene look like practically? Let’s start simple. Passwords are still fundamental for information security. They are the first line of defence in securing almost all electronic information, networks, servers, devices, accounts, databases, files and more. When an organisation’s passwords are digitally hygienic, this is a great foundation for positive cybersecurity culture changes moving forward.

We may live in 2022 but, believe it or not, password compromise is still the root cause of many cyber breaches. Secure password management requires that unique passwords be used for each and every account. This results in cryptic passwords that are difficult to keep track of. However, 55% of people rely on memory alone to manage their passwords, which clearly indicates a lack of secure password practices.

Password management applications are one answer to this problem, to create complex passwords that are difficult to crack. Organisations should commit to providing the appropriate technology to facilitate s, such as multi-factor authentication, but also educating teams on the value and simplicity of these systems, to discourage workarounds. By enabling a password manager alongside team understanding of its value, organisations can feel confident that a strong cybersecurity culture is well within their grasp.

Educating employees to detect threats

Phishing is another simple yet unwaveringly popular attack method today. In fact, in the last few years, threat researchers have seen more phishing than ransomware, despite the fact that the latter makes more headlines.

Employees should be aware that the old-school tactics are still very much alive. Indeed, threats such as vendor impersonation are highly popular today. By teaching staff how phishing works and for the tell-tale signs that someone is trying to exploit your human nature to share sensitive information, organisations can develop cyber resilience.

Sure, there are technologies that can protect against phishing attempts, such as using multifactor authentication (MFA). So too are there protocols, such as approaching links and attachments with caution, flagging external emails and keeping software updated. But one of the easiest to implement and most resilient ways to defend and combat phishing is through implementing a culture of zero trust: trust no one until they can prove they are trustworthy.

Cybersecurity isn’t a clique - it's a culture

Cybersecurity isn’t just for IT teams tucked away in the basement of a larger enterprise, battling threat actors while those upstairs click carelessly on phishing emails and let more threats in.

It’s a culture, not a clique. That means everyone needs to be involved, to have a baseline understanding of what will protect the business, and be inspired to believe in a larger goal - that cyber attacks needn’t be inevitable when we all work together.

For cyber teams who know their stuff, the job now is 99% communication. The best way to do this? Build security awareness in your company’s shared attitudes, perceptions and beliefs in order to secure a long-lasting culture of cybersecurity, and a futureproofed organisation.

More Technology and Systems Articles