When a business is seeking to improve its level of cybersecurity, attention tends to be placed on selecting the best possible tools and services. Comparative evaluations are conducted, and decisions made about what measures will deliver the best bang-for-buck.

However, it should be recognised that effective IT security needs to extend well beyond technology. It also needs to also incorporate the people who use the infrastructure on a daily basis.

This is because many of the most potentially damaging cyberattacks initially target individuals rather than the infrastructure itself. Indeed, industry research shows that 97% of all data breaches start with a social-engineering attack. Unfortunately, just one action by an uninformed user can compromise an organisation’s entire IT infrastructure.

The problem is compounded by the fact that the first phase of many cybersecurity attacks can often go unnoticed. A staff member may inadvertently click on a malicious link in a phishing email or open an infected document and allowed an attacker to gain access to a network. The ramifications of this, however, can takes weeks or even months to become evident.

For these reasons, having a security-aware culture in place has never been more important. Staff need to understand the types of threats that are being faced and their role in preventing these attacks.

Strategies for building a security-aware culture

At its essence, a security-aware culture comprises a set of behaviours, values, and principles that guide staff activity on a day-to-day basis. The culture becomes part of an organisation’s ‘genetic makeup’ and helps to shape both attitudes and approaches to IT security.

It needs to be understood that a strong security-aware culture is not something that can be created overnight. Experience shows it can take anywhere from three to five years to build and implement.

Key influences that will drive its development include having a clear understanding of the particular threats faced by an organisation. Employees need to be educated about those threats and incentivised to change their behaviour as required. Some of the tactics that can be used include:

• Focus on positive reinforcement:
  Rather that creating a climate of fear around security threats, an organisation should encourage staff to report any mistakes or lapses that may have occurred. They need to understand that such reporting is a positive step and not something to be avoided.

• Recognise and reward positive behaviour:
  Reporting of potential threats and incidents should be rewarded through public acknowledgement. Staff should be congratulated on being proactive and held up as examples of good corporate behaviour.

• Use phishing simulations:
  As the vast majority of threats arrive via phishing campaigns, regular simulations should be conducted to ensure staff are aware of the current tactics being used by cybercriminals.

• Be methodical:
  To have the best chance of establishing a security-aware culture, the push must begin at the top. Senior management must be seen to be onboard and to be encouraging staff at all levels to be involved. Also, look to establish security champions in different areas of the business who can share key messages with their colleagues and help to explain what needs to be done and why.

The role of security awareness training

To achieve an effective security-aware culture within an organisation, regular and thorough training will be required. This training must involve all staff and cover a range of related aspects. Three of the key elements to cover are:

1. Use real-world examples: It can be easy to talk purely in theoretical terms, however more will be achieved if examples of actual attacks are referenced and explained. Use instances of high-profile attacks to show that even a small gap in defences can result in significant disruption and losses.

2. Test with realistic content: Provide staff with clear examples of the types of threats they should expect to see in their own email inboxes. Explain how messages may appear to have come from a legitimate source but could, in fact, contain malicious code. Show specific examples of messages that have already been received and the small details that exposed them as being fraudulent.

3. Reinforce that it’s an ongoing challenge: It’s important for all staff to understand that establishing a security culture is not a one-off exercise. It needs to become an integral part of all day-to-day activity as threats can appear at any time.

Having strong security-aware culture in place can do much to reinforce the protective measures in place around a business. Tools and processes are important, but they must be backed by informed and proactive users.