How to establish a strong security culture in your organisation

This blog post was first published on our Norwegian blog, and you can read the original article here. 

Establishing a cyber security culture is about weaving the company’s values, knowledge, attitudes and actions together with technical security controls and an understanding of threats. 

To succeed in introducing a cyber security program, you must realise that people are – and remain – the weakest links in the cyber defence of a business. A good cybersecurity culture aims to create awareness so that the organisation can stand stronger to defend itself from scams and other types of attacks.

How do you get started building a security culture?

First of all, you need someone who is responsible for managing the training program. It must be run as a project with support from the highest level of executives in the organisation. Then, you can start executing on the following steps: 

• Recruit the right people to run the program 
• Set a scope for the project
• Measure the level of security awareness and interest within the organisation
• Map out actions that must be executed to reach the goal 
• Set deadlines for the different actions so that it’s clear when each activity should be started and ended
• Define metrics 
• Define success 

Establishing a security culture means that management and employees speak the same language, and have a common understanding of their own business and strategy. Transparency will be an important key. That is why a security culture must be built together with the employees, and not be something that is put on them. 

The team that will run the program must be a mix of technical, administrative and other professionals. They must have a strong understanding of the business, the business’ goals and the threats they face. This applies to both small threats and targeted attacks. 

Also read: 14 tips for staying secure at the home office

Gap analyses

It’s difficult to know how to reach the goal if you do not find out where your organisation stands today. By performing a gap analysis consisting of interviews, reviewing documentation, security manuals, security policies, and doing random sampling, you will more easily find out what works and what doesn’t. 

Different departments have different needs

Remember that different departments and disciplines have different needs according to their knowledge and skills. It doesn’t have much value for a salesperson to get an introduction to configuring firewalls, or to ask security professionals to go through e-learning on phishing. 

You have to perform a gap analysis on the different departments and map activities that you think will have the most effect. It is best to run the safety program for culture building as iterative processes where activities are run several times so that it is easier to see if the program has the desired improvement effect. Does it cost more than it creates value? Then you have to reconsider activities. 

Methods to increase security competence

There are many types of activities you can use to spread awareness, find out where your organisation stands, and measure improvement. No matter which methods you choose, goals and metrics must be defined to give you an answer on whether you have reached the goal or not. 

And, most importantly: that the activities are rewarding and engaging. Here are nine different method ideas that will help you raise awareness and build cyber security knowledge internally in your organisation:

Games

Perhaps the most expensive technique you can use to drive learning and communication, but also without doubt the most effective, memorable and original. It can be both computer games and board games. 

The cost and complexity of developing games today is lower than ever. There are plenty of books and tutorials for games written in Python, JavaScript, HTML5, C #, Java, and many more. 

How about a multiplayer game to jump into at given times to solve some puzzles with colleagues? Or what about a card game ala CPU Wars that requires zero setup time and can be played during lunch? If you develop something like this, it can also be used at stands at conferences, websites, and for recruitment. 

Video training 

Expectations for the video format are lower than ever, so why not take advantage of that and deliver the training through interactive videos? Pull out your phone and shoot some fun snippets that can be distributed on the intranet or sent to employees via email. 

Scavenger Hunt

Turn an event into a theme-based team-building exercise. Divide employees into groups and set them out on a treasure hunt with some fun exercises. What we humans remember best are good experiences with others, so take advantage of that.

Ethical hacking (pen testing)

Hire a company with the capabilities to test current physical security, employee goodwill and your public-facing systems. There are companies out there that provide such tests as part of a training course. 

Physical pen tests, and especially social engineering attacks such as phishing, are in the ethical gray area, but done correctly, this can be a very effective and enjoyable learning process. 

Webinar and e-learning courses

Hire specialists in different subject areas who can talk about cyber security. Webinars and courses can be stored on the intranet so that everyone can see them at one time or another. Give those who take the time to complete the course or watch the webinar an award, such as an achievement badge.

Lectures

Bring in good speakers who can tell some exciting stories about IT security. 

Workshops

Hold workshops where groups are to solve a specific task related to security. Make them understand probability and consequence, and how this is linked to confidentiality, integrity, availability and the business areas of the organisation.

Posters and flyers

Make posters and flyers available at the office–preferably with a bit of humour rather than with strict orders. 

These posters can work as reminders to put on screen lock on the machine before going for lunch or coffee, or to be careful of who you let into the office building when they don’t have access badges.  

Flyers can be handed out with tips on how to set up two-factor authentication on private accounts, what to look for in a suspicious email, and so on.

Achievement Badges

Reward those who follow security advice. Give them badges when they report suspicious emails, come across suspicious things on the laptop, remind a colleague that he or she has to lock the computer or other similar activities. 

Learn how we in Visma are working on establishing a security culture. 

There are a range of activities that can be done to raise awareness and knowledge about cyber security in your organisation. So, how do you go about measuring the effect of such activities?

Whereas it’s easy to see how many people watched a video, you don’t know how many people actually paid attention and learned something. Run tests at the end of the awareness campaign to see if the level of knowledge about cyber security threats and how to prevent attacks from succeeding are higher than what they were prior to the campaign.

Every business needs to find its own style and method to get better. Does your organisation have one common security system, or one for each company? Or perhaps you have a combination of these?

What does the reception desk routine look like when guests enter the office building, and does this change depending on who is working that day? Is the office building set up in open landscapes or cubicles?

Do you run your own infrastructure? Your own mail server? Or is everything running in the cloud? 

This list can go on forever, so make sure that you take into account everything that might be of importance to the security culture in your organisation. 

You might also be interested in: What is financial cybercrime and how to prevent it?

Iterative processes

A security culture program must be a living process that is not limited to the security month of October or other standalone initiatives. Ensure that cyber security is top of mind for everyone in the organisation at all times by constantly promoting, distributing and running awareness campaigns across the different companies and departments. 

Those who manage the program should have regular meetings with the management and report frequently. 

How to build a cybersecurity culture without a project

Not everyone has the means, time or expertise to implement an iterative process as described above. But it is still possible to execute on certain activities and run them as standalone measures. 

Running a webinar or creating a simple video training course doesn’t have to ruin the budget. Find the activities that are relevant – and doable – for your specific organisation. Good luck!