Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.
As the world struggles to find a “new normal,” many things have changed, especially where we work. At least one survey shows that nine out of 10 organizations are set to move to hybrid work permanently. This trend creates even more challenges for security and compliance teams. Since hybrid work blends the home and office, home and office data is blended as well. A vast majority of cyber breaches involve human error, and this risk is set to multiply with the widespread adoption of hybrid work.
Building strong security knowledge, values and behaviors is the need of the hour; nurturing an organizational culture that places proper value in security is the key to shaping employee behaviors, attitudes and mindsets. Having said that, sculpting human behavior is a complex, long-term process that cannot be solved via temporary, episodic initiatives. Let’s look at my top five recommendations with which organizations can build and sustain a robust security culture in this new hybrid work culture:
1. Internalize security.
Security culture goes way beyond security awareness or coercing secure behaviors. It’s about making workers value security to the point where they proactively participate in taking steps that reduce risk. It’s about internalizing a cybersecurity mindset that puts the organization and customers foremost. You want your workers to apply what they learned about security into their daily routines in order to eventually boost confidence in making the right security decisions.
Ensure your business is routinely spreading awareness about new risks in the workplace, best practices in cybersecurity hygiene and policies and procedures. Regular communications, mock drills and other security awareness exercises are critical in engaging employees, especially those who are working remotely. Senior management and board members must treat cybersecurity as a strategy that is imperative and valuable to business success, and it’s critical that they lead by example.
2. Build engagement and ownership.
A defining feature of any security culture is that it must be challenging, engaging and, yes, fun. Recognizing and rewarding good security behavior is an important tactic for building and sustaining a security culture. When done right, engaged audiences provide a high return on investment (ROI), helping the business achieve its security objectives. Disengaged employees, on the other hand, can negatively impact a security program and put the business at risk.
One drawback of hybrid work environments is that they lack in-person interactions. Sharing and interaction should be promoted because only through contribution will employees feel ownership. Culture is often contagious; when employees see other employees complying with the security strategy and espousing security values, they feel motivated to mirror those behaviors and values.
3. Create a climate of trust.
Trust is the foundational element of culture change. Anxiety and defensiveness usually creep in, especially when it comes to a sensitive topic like privacy. Many employees are reluctant to report a security threat for fear of reprisal, and one Administrative Science Quarterly study shows that blaming employees isn’t the solution.
Ideally, organizations must promote a healthy culture of skepticism where employees can report suspicious emails, behavior or activity without the fear of being reprimanded. Businesses must go the extra mile to provide support to remote employees, listen to their concerns and empower them with the tools they need to be both successful and secure.
4. Use a data-driven approach.
It’s a cliché to say you can’t manage what you can’t measure, and that’s because it holds true. Start by conducting a baseline assessment of your business. You can do this by measuring the current state of security awareness, attitudes and behaviors of your employees. In a hybrid world, there’s no one-size-fits-all approach. Security awareness, attitudes and behaviors of remote employees might be totally different from those on-site. For example, around 50% of employees admit to cutting cybersecurity corners while working from home.
Have a clear plan in place to achieve the targeted change in behavior and communicate expectations to all employees, starting from the top. Cybersecurity should be a regular boardroom topic, and its performance metrics and ROI routinely tracked to assess the progress of culture change. Research shows compliance is a cultural issue, and businesses lose an average of $14 million through non-compliance. Audit-friendly governance, risk management and compliance (GRC) tools can help identify, track and monitor the progress of compliance requirements.
5. Empower your workforce.
Good intentions alone don’t drive action. It’s important to provide employees with collaboration and remote connectivity tools that make them feel linked, productive and secure. Many leaders still perceive security as something that impedes productivity, so it’s important that communication and training programs overcome such prejudices as well.
Not all employees are the same, especially in a hybrid world; therefore, not all risks are the same. Businesses must routinely assess the effectiveness of cybersecurity tools and programs and fine-tune them based on the changing security threat landscape and feedback from users. Focus on the risks that need immediate attention, communicate your goals to stakeholders and ensure you have buy-in.
As the phrase often attributed to Peter Drucker claims: “Culture eats strategy for breakfast.” With today’s hyperconnectivity, security must be valued by everyone as a critical aspect of work and life. The security facet of your organizational culture is the most central element of cybersecurity strategy, with human behavior at its core. One needs to approach cybersecurity with a mindset that people aren’t the problem, rather, they’re the solution. Sustained investments in awareness and education, combined with tools that empower employees, a transparent environment and a metrics-oriented security strategy are the foundational elements that help build a lasting security culture.