American companies are facing a big problem. Not enough employees are trained in defense against the dark arts of cyber threats.
According to a recent ISACA/CMMI Institute Cybersecurity Culture Report, only 5% of all employees believe the cybersecurity culture of their organization is as good as it needs to be to protect their company from threats. In the same report, 87% of firms said that establishing a culture of cybersecurity would improve the organization’s profitability and viability. Basically, almost all companies want to see their employees become white hats to defend against the constant onslaught from bad actors.
With companies coming to a general consensus that cybersecurity culture is lacking, why hasn’t anything changed? One big hurdle is the fact that 42% of organizations don’t even have a cybersecurity culture management plan or policy. Another big hurdle is capital. The organizations that reported they were content and felt secure with their current cybersecurity culture spent 43% of their cybersecurity budget on training and tools. Meanwhile, the organizations that reported a significant gap between their current and desired cybersecurity culture were spending less than half of that, at 19% of their annual cybersecurity budget.
So, how do companies make the changes they want to see in their cybersecurity culture? The answer starts with the top. C-level execs need to learn cyber awareness and become headmasters, pushing the culture shift in the company. While changing your corporate culture, it’s important to know the following do’s and don’ts
Do Expect Mistakes
Employees are your most vulnerable and critical line of defense when it comes to defending your organization against cyberattacks. It’s important to recognize that human error is inevitable, regardless of how well employees are changed.
Don’t Punish Errors
When users are punished for their mistakes, they are less likely to report incidents as they occur. This lack of communication may be fatal to your organization.
Don’t Rely on Annual Training
Standard training just doesn’t work and provides a false sense of security. Training must be multifaceted, ongoing and consistent. Put your white hats in training through some alternative assessments to determine the effectiveness of training programs.
Do Set Achievable Security Goals
Rome wasn’t built in a day but they did constantly lay bricks. A decent starting goal may be seeing a reduction in the number of employees clicking on a malicious link during a simulated phishing attack. Once you see improvement in that, move on to your next goal.
A culture of cyber awareness that you can be proud of can be made. To get there, security leaders must set reasonable and incremental goals while demonstrating a willingness to try new things to yield good results. Remember, cybercriminals are masters of social engineering and constantly evolving, a few missteps should be expected. However, mistakes can be your most valuable learning tool. Your culture of cyber awareness may currently seem like a pipe dream, but every step gets you closer.
