Last updated: 08.02.18

A corporate culture of cyber security awareness: a dream, or reality?

Technological developments in the business world have made it necessary for companies to make cyber security a key part of their corporate culture - but many are still not consistently achieving this.

In the last few years, cyber security has gone from an issue that's important to only a small percentage of tech-oriented businesses, to a core priority for organisations of all shapes and sizes across the world.

As such, it's now common for every business to have cyber security policies in place, and to spend considerable amounts of money making sure they have the software and systems necessary to protect against attacks from cyber criminals. With the Europe-wide General Data Protection Regulation (GDPR) coming into effect, this issue is gaining more prominence than ever before, and the inexorable digitisation of key business processes means this is a trend that's unlikely to ever be reversed.

However, there's more to cyber security than simply spending money on the right antivirus programs. To protect your company from the full range of threats out there, you need to be sure that your entire corporate culture is dedicated to the principle and taking the necessary action to prevent threats from developing. This should be the goal for any organisation - particularly given that many firms are not quite living up to this vision just yet.

Why is a cyber security-focused corporate culture so important?

The importance of cultural change in cyber security was recently highlighted by experts from the US Secret Service during the 2017 NetEvents Global Press and Analyst Summit, who pointed out that changing attitudes and behaviours is the only way of preventing security breaches caused by human error.

This is a logical conclusion: a company can spend huge amounts on sophisticated software or hundreds of man hours developing in-depth security processes, but all of this money and effort will be wasted if workers are not engaged enough to fulfil their own responsibilities in keeping sensitive data safe.

Michael Levin, former deputy director at the US Department of Homeland Security, pointed out that as many as 70 to 80 per cent of hacks can be traced back to human error at present, with many malware attacks being caused by staff opening unsafe email attachments. Other common errors can include failure to adhere to protocol when it comes to selecting a secure password, or connecting to the company network with an unsecured device.

Mr Levin said: "There are plenty of tools out there, but if your employees are clicking on every email link and attachment that they're getting, something's going to happen. Bad things are still going to happen, so we have to reduce that risk.

"Many organisations don't want to take the time to educate their people on what they can and cannot do, and it's so basic to the day-to-day process of any organisation."

What can be done to achieve a holistic cultural shift?

While there are always going to be a handful of cases in which disgruntled employees compromise their organisation's data intentionally, the vast majority of incidents are going to be caused accidentally by a staff member who simply wasn't educated or engaged enough to understand the importance of proper cyber security until it was too late.

That's why it's vital to make sure that any investment in new data protection systems and standards - whether or not this activity is associated with the new GDPR rules - should be accompanied by a rigorous and comprehensive training programme. This will give staff the opportunity to learn about all the risks involved and get to grips with any new systems that are put in place, making it much less likely that your company's protection will be compromised by a simple oversight.

It's also worth remembering that this training should be about more than just a list of new rules - cultural change is about shifting attitudes and behaviour, so it's vital that sessions be made as engaging as possible. That way, you'll be able to achieve much better retention levels and ensure that workers feel actively committed to upholding better cyber security, due to a deeper understanding of why it's such an important issue.

One way or another, it's an issue on which companies need to take action as a matter of priority. As Ronald Layton, deputy assistant director of the US Secret Service, said: "Cyber as a discipline and an endeavour is completely new. Humans are interacting with these machines, and this is all new. So we're having to force cultural change."

Related resources