Team Huddle: Fostering a Cybersecurity Culture

Have you ever had a manager who rolls their eyes every time someone from a specific department sends a company-wide email, implements something new or speaks up during a meeting? You know what I’m talking about. How does it affect your attitude towards that department? I’m willing to bet that, at some point, you started rolling your eyes as well to emulate that boss’s behavior – after all, they’re the one giving you a performance review.  

Company culture and attitudes are often learned behaviors. Executives and managers set the tone for what’s important and what’s not. The actions and attitudes exhibited by company leaders have a trickle-down effect – and one business-critical area that’s important to not overlook when it comes to setting the tone is cybersecurity.  

Impacts of a strong security culture  

As mentioned in the “Having the Talk” blog as part of this series, fostering a strong security culture within your organization starts at the top. Exhibiting passive or even defiant attitudes towards information security will all but ensure that your employees will take a laissez-faire approach as well. Alternatively, demonstrating the importance of data security will instill an awareness of and commitment to cybersecurity throughout your organization.  

A strong security culture is both a mindset and an operational mode. When managers see that cybersecurity is a top priority for company executives, they tend to adopt the same point of view and pass that sentiment along to their team members. This makes employees more vigilant and prepared to help thwart potential incoming cyber threats.    

How to be a security champion 

Knowing that managers and employees are taking cues from the executive team, how exactly can these company leaders constantly demonstrate their commitment to cybersecurity without overdoing it? Considering the following tips:   

  • Always highlight the positive. It’s easy to use scare tactics and show the negative consequences of falling for a phishing email or clicking on a malicious link. However, that’s not always the most effective method of fostering a productive security culture.Instead, reinforce identification and reporting of suspicious activity in a positive way. When a threat is brought to your attention by an employee, send a company-wide email alerting staff of the suspicious activity and congratulate the individual who noticed it first. Additionally, talk about the benefit of identifying a threat (i.e., what could have happened and been lost if the company had fallen victim) to reiterate how important cybersecurity is to the organization’s health.
  • Practice continual testing. Practice makes perfect! Partner with trusted third parties to send phony phishing emails and call employees to see who falls for the scam and who doesn’t. This will help your employees understand what to look for and how to combat threats. Once tests are complete, have managers walk through the results with employees to highlight what they did right and what to do better next time.It’s also just as important, if not more, to ensure that executives and managers are receiving these tests as well. If they don’t know what to look for, how can they expect the same from their team members? Additionally, executives hold the keys to the kingdom, making them the most targeted and impersonated members of the company. If a cybercriminal can break into an executive’s account simply because that individual didn’t know what to look for, the entire organization can be quickly compromised.  
  • Don’t make allowances for executives. Oftentimes, security measures are turned off or ignored in the interest of convenience for members of the executive layer. When this happens, it lessens the value of security for the rest of the company. If managers and employees see executives bypassing security procedures, they assume they can do the same thing – putting the entire company at risk to accommodate one person.  

It starts at the top   

I recently visited my former doctor to get a copy of medical records and discovered the office had fallen victim to a ransomware attack. When I went to pick up my records, I received a letter informing me of the attack and assuring me my data was “secured” (although obviously not by them), and that my records couldn’t be accessed. A couple of weeks later, I had an appointment with my new doctor, and gave them the letter explaining the ransomware attack and that my old records were not accessible. Despite working in healthcare – where ransomware is currently running rampant – the receptionist at the new office didn’t seem to know what ransomware was and stared at me in bewilderment.  

When a culture of security isn’t instilled from the top down, this type of reaction is to be expected. When employees at any level have limited exposure to the threats facing their industry, the entire business can suffer – from customer service to losing critical data. However, when leadership accurately and positively conveys the importance of cybersecurity, companies are less likely to fall victim.  

Making cybersecurity a top priority by executives doesn’t have to be cumbersome or induce eye rolling. All it takes is a one-to-two-minute reminder during company-wide meetings or an occasional email reminding employees about available training and current or new industry threats to ensure your security culture is intact.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals