What does culture have to do with keeping your business cyber secure you might ask? According to a recent whitepaper written by Cultural Cyber Security (CSS) titled “Culture eats technology for breakfast”, employees are the biggest risk when it comes to potential attacks and phishing scams. Conversely, the culture of the business can also be its saving grace when it comes to vigilance, safety and protocol adherence.
Members will recall Dr James Carlopio presented on this topic at GC22 and these lessons are only becoming more important in business and our day-to-day lives. Here’s the latest from the CSS desk.
“Cyber security costs trillions globally and will continue to escalate.”
CSS cite that people and culture are the biggest weaknesses NOT technology, with 5% of all cyber breaches attributed to technical or systems failures – the vast majority of incidents or attacks (95%) point to the employees and the organisational cultures that drive their attitudes and behaviours.
Successful cyber security according to CSS, is no longer driven by technical solutions alone, but rather a well-rounded mix of stringent processes and protocols and a culture that is willing and passionate enough to protect and enhance the environment in which they operate.
Firewalls, virus protection, application whitelisting, patching and hardening, as well as multi- factor authentication, continual back-ups and other technologies do their jobs well but cannot ensure long-term safety without the back up of personnel with the right attitudes, willingness and energy to do the right thing.
“You want cyber-safe behaviours; you will have to create a cyber-safe culture.”
It is evident that cyber criminals are in a state of constant evolution, just look at the plethora of post office, banking and toll emails and text messages to name a few, doing the rounds. A once off induction briefing on policies and procedures is necessary, however no longer sufficient in the quest to keep a business safe. CSS believe that, like any attempt to improve culture and boost morale, the same processes and culture strategies needs to be applied where people are regularly and consistently reminded of cyber security principles, as they are with OH&S.
“Reduce cyber risk by promoting cyber safe ideas, knowledge, values and behaviours.”
CSS Outlines a 5-step process to create a harmonious attitude toward keeping the threat of cyber breaches to a minimum, and it all starts with the people.
Step 1: Establish the baseline:
- Conduct a cultural diagnostic
- Identify cultural maturity levels, establish baseline, identify key areas and at-risk behaviours, acquire staff comments and insights
Step 2: Define desired future state
- Conduct maturity model assessment
- Identify future desired state and maturity level
Step 3: Planning
- Develop 3-year strategy aligned to business
- Develop roadmap and 12 month Operational or Action Plan
Step 4: Actions
- Establish understanding of the “why” of cyber security
- Deliver leaders and managers programs
- Staff information/learning sessions
- Improve phishing simulation program
- Integrate cyber life skills
- Consider gamified learning
- Develop the communication plan
Step 5: Accelerate
- Deliver cyber champions programs
- Continued communications, induction, education, training, awareness activities
In summary, our working environment significantly affects the way we think and behave. The CSS whitepaper highlights the link between these attitudes and behaviours and how they play a pivotal role in how cyber security is accepted and executed within your business.
Read the whitepaper: CCS_CultureEatsTech
Log in to the SSAA Member Portal for more cyber resources, including the Cybersecurity and Information Management Guidelines and the Cyber Awareness Webinar Series, presented by Dr Carlopio of CSS.