10 ways to build a cyber security culture

IT security messages – most of them, at least – are delivered digitally. Emails, blog posts and intranet threads have their advantages... but how efficient are they when it comes to developing culture?

According to the nonverbal communication expert Albert Mehrabian, not all that much. Or, certainly not as much as talking to people face to face. Mehrabian notes – perhaps surprisingly – that message recipients largely derive the meaning behind messages from means other than words. Over 90% of a message, Mehrabian notes, seems to be delivered via body language and tone. Neither are present in written communications.

To advance cyber security culture, cyber security professionals should aim to increase their physical presence in workplaces – even if only on an intermittent basis.

Our attitudes shape our behaviours. But, by the same token, our behaviours shape our attitudes.

Indeed, research by the psychologist Gary Wells shows you’re more likely to agree with a political message if you happen to be nodding your head at the time you hear it. Just as what we think shapes what we do, what we do shapes what we think.

Collective attitudes – and by extension culture – can be changed by changing people’s behaviours, perhaps via a simple series of simulated attacks.

Every question highlights a gap in knowledge, and every answer to a question fills a knowledge gap. But there aren’t many companies that make asking security questions particularly easy.

Feedback forms post-training largely go ignored. So questions should be encouraged during training, as and when questions crop up. Online platforms like CybSafe now make asking questions during training simple.

We all know of security horror stories. But how many people outside of security know of security stories in which people saved the day?

Sharing stories that paint security-conscious people as heroes can show the value of taking security seriously. If that sounds like it might be tough, bear in mind platforms like CybSafe help you keep track of useful metrics you can use to celebrate security wins.

Security often conflicts with a given individual’s immediate objective. And, because our behaviours influence our attitudes, (see point 2 above) every time someone chooses to break security guidelines in favour of getting the job done, they see cyber security as increasingly irrelevant.

To build a culture of security, security professionals must make security an enabler. Security must help people get the job done – and to do that, security professionals need to understand what it is people want to do in the first place.

By taking the time to work this out, security can be aligned with people’s goals, embedding cyber security into everyday culture.

As humans, we all like to belong to groups. Training everyone in your organisations – from the board to junior recruits – can help build a security-conscious in-group that people (whether rationally or otherwise) will have a desire to join.

The fact that training everyone also positions cyber security as a topic of importance makes training everyone a double-win.

During attacks, criminals routinely manipulate partners and suppliers to gain unauthorised access to target networks.

As well as minimising risk, training partners and suppliers also demonstrates to your organisation just how serious cyber security is. Training suppliers and partners is therefore a simple way to build a cyber security culture.

To encourage people to take cyber security seriously, it’s worth pointing out personal benefits as well as professional. People usually have more of a reason to take security seriously at home (where a cyber attack can lead to personal turmoil) than they do in their workplace (where they’re largely shielded from the more devastating consequences of a cyber attack). As an added bonus, any security habits developed for personal reasons will follow staff into the workplace.

“If TalkTalk had cryptographically segmented its security system into predefined and clearly understood fragments, the breach would have been more manageable, instead of system-wide.”

That’s a soundbite from a commentator following the high-profile TalkTalk breach of 2015. To anyone outside of the security industry (and even some insiders), it makes no sense whatsoever.

Cyber security must be understood to be enacted. To build a cyber security culture, keep things simple.

Performance reviews are embedded into modern workplaces – yet the reviews rarely take cyber security into account… which inadvertently positions cyber security as secondary to employees’ primary responsibilities.

Security training analytics help assess an individual’s security performance and can easily parlayed to employees during performance reviews, giving cyber security a new-found priority.