7 Tips for Building a Cybersecurity Culture

Hackers, like all humans, crave efficiency. And that makes your employees their favorite target. It’s easier, after all, to crack a person than a computer. Even though your cybersecurity fears may envision someone tapping out code in a darkened room, the bigger threat is an e-mail that fools an employee into granting access to the company’s system. That’s why social engineering attacks (such as bogus e-mails in phishing attacks) have become the most common method for penetrating an organization’s system. 

Use the following list to ensure you're fully protecting your data by educating and motivating every employee to make cybersecurity part of their daily responsibility. 

1. Develop a cybersecurity awareness strategy 

A security culture takes shape only after someone with authority deems it important, forms a plan for achieving specific goals and then carries out the plan. Your first step should be a written plan that defines the security culture you envision and provides specific steps you’ll take to get there. For example, your culture will define what level of access to company data each employee receives. Include information security themes for each quarter, which will guide your communication and training. 

2. Extend your plan to the remote workforce 

If you’re thinking only in terms of access to office-based computers and servers, you’re several years behind. The rapid switch in 2020 to working from home should cement our understanding that the dispersed workforce is here to stay. Your data probably lives largely in the cloud with access coming from dozens of personal devices and home networks. Your plan and training need to cover all of that. 

3. Create a training plan 

About 30% of U.S. companies say they have no cybersecurity awareness and training programs for employees or other stakeholders. That leaves hackers a wide doorway into your systems. For your first information security training program, you can turn to dozens of low-cost solutions that provide excellent and relevant material. Or consider putting together a PowerPoint with relevant security topics that engage employees across all departments. Effective security training solutions include, at a minimum, the following list of topics: 

• Data classification and sensitivity. Employees need to understand what types of data your organization stores, processes and transmits. Giving them an overview of this information helps them recognize the sensitivity of your records and how your business depends on each employee to protect the data they work with. 
• Social engineering tactics, approaches, and example. Attackers use threats, such as fraudulent phone calls, e-mail phishing, and facility access, to obtain more information about your organization or establish remote network access. Employees must be adequately trained to identify situations where bad actors are trying to get them to divulge sensitive information. 
• Password best practices. Passwords are the primary authentication method employees use to access sensitive data. You must provide training on how to generate strong, effective passwords that align with your organization’s requirements. 
• System patching. While your IT department will most likely manage employee devices, it’s imperative to emphasize the importance of system updates. Devices should always be kept up to date with the latest operating system and application patches. 
• Incident response. Training should cover how to quickly and effectively report potential security incidents to management and/or IT staff. Data breaches are typically discovered by an employee observing suspicious activity on their computer system or network. 

4. Continuously train employees 

Many companies capitalize on a new employee’s eagerness by providing security training on the first day. While this is an important step in the onboarding process, it shouldn’t be the last time the employee hears about these policies and procedures. A study by Vanson Bourne found that just 11% of organizations continuously train employees on information security. We recommend refresher sessions at least a couple of times per year, which ensures employees get reminders on best practices, hear about the latest threats and recognize that management takes the topic seriously. 

5. Start with the basics 

Don’t generalize based on employees' job skills or age. Many leaders assume that young employees are savvier about information security since they’ve grown up using multiple digital platforms. But that familiarity—and a culture of sharing almost everything online—may actually make your younger team members bigger risks. Train everyone, and make it available in several formats (presentations, videos, quizzes, etc.) so that employees get the message regardless of their learning style. 

And don’t skip the basics in your training materials. For example, “Password” is still one of the world’s most common passwords. And a Verizon study shows that approximately 76% of attacks on corporate networks involved weak passwords. So as obvious as the need for strong passwords may seem—it obviously isn’t. 

6. Involve company leadership 

When employees not only hear leaders talking about the importance of information security but actually see the leaders sitting beside them in training sessions, the message is clear. Use your top managers to reinforce the priority your organization puts on security. 

7. Measure progress 

Your long-term strategy should include benchmarks showing how you’re doing. Some common performance indicators include tracking how many employees fail routine phishing tests, who is reporting suspicious emails, how often employees change their passwords, and who is adhering to your organization’s Clean Desk Policy. With metrics in place, you can track progress and identify employees who aren’t embracing or understanding policies. 

If all of that sounds a bit overwhelming, see how HBS can help! Every week, our consultants help companies create their security strategy, develop plans for implementation, and maintain security awareness and training effectiveness.