Security Culture: You’re only as strong as your team
When you’re hurt you feel pain, you see a cut or bruise, and you know that something has happened to you within that very instant. Harm within the digital realm however, is not so obvious. You will not have the same instinctual response to protect yourself online as you would in the physical environment.
We’re not all security experts, and even when we are, vulnerability to threats online is still present. In order to create a safer, more secure company as a whole, understanding your company’s security culture becomes essential.
Security culture varies in both its definition and importance to each company. It’s just as reasonable for a company to be perceived as caring about a security culture, as it is for them to view it as a chore. For example, would your company recognize you for asking for help in determining the threat of an email you thought may be malicious? Would you or your colleagues know where to send that email to for review? Does your company have a specific inbox to send potentially malicious mail to?
Every organizational environment is diverse in its security culture. Some places are more lenient, while others follow the “3 strikes, you’re out” rule. Both cultures can be polarizing for employees, and often employees will not see the value in building more security skills. If your culture doesn’t see the importance of security knowledge, or even basic training around social engineering like phishing emails, you might lose out on talent that cares a lot, which can lead to higher turnover within your organization. In order to develop a strong security culture, we have to tailor how we communicate and think about security.More importantly, a strong security culture caters to the users who have little knowledge on security, and those who have the knowledge, but are not in the habit of security practices.
So how do we ensure that the one that should know better but still puts the company in compromising positions, develops more security awareness and understanding of how their actions can affect the entire organization's security?
We have to become more user-friendly. We can’t take control away from the user if they make a mistake, or else they aren’t fully learning and creating positive muscle memory for how to double check an email address, or hover over a link before clicking. Ask yourself:
- Are you making it easy for your employees to understand the risks that surround them?
- How simple do you make it for employees to communicate with you about current and potential threats?
- Do you create a shared effort within your organization to understand security?
- Do you have ways for users to validate information?
- Do you have a positive reinforcement process for communicating concerns?
Start to get users thinking technically:
- Does your company have security mentors that use company policies to help educate and provide positive, constructive guidance and feedback?
- Does your security team have an advocate that can help employees understand the good and bad of security through stories?
- Are your security teams visible and a part of the rest of the company or are they separated?
When an employee feels empowered enough to say when they’ve clicked on something compromising – or, even better yet, are afraid they might have – you begin to create a communal thought process that reinforces the importance of trust and transparency. This way information flows naturally and quickly, which will reduce the damage from any mistakes, and help prevent future damage from happening.
A strong security culture isn’t built overnight, and is as reliant on you as it is your whole company. Just like your mood, your security culture is contagious.