6 minute read
Why security culture matters in Australia
By Jacqueline Jayne KnowBe4
High-profile data breaches continue to bring cybersecurity to the top of the conversation. Yet IT decision-makers are still struggling to build a security culture in their organisations, and end users are even more in the dark.
Before we look at security culture in Australia, let’s look at what it is, as there are vastly different definitions of the term.
According to new research from KnowBe4, when it comes to defining security culture, those IT decision-makers who have heard the term most commonly say that, to them, 'security culture' means:
• recognition that security is a shared responsibility across the organisation (67%)
• having an awareness and understanding of security issues (64%)
• believe it means compliance with security policies 59%
• think it means that security is embedded into the organisation’s culture (44%)
• it has something to do with establishing formal groups of people that could help influence security decisions (36%)
• *respondents were able to select more than one response
While all the responses are correct in their own way, one stands out as it incorporates them all. That is 44% of IT decision makers who said that a good security culture meant security was embedded into the organisation’s culture.
Additionally, only one-third of IT decision makers across Australia know what 'security culture' is and think their organisation has a good security culture.
The phrase ‘security culture’ is beginning to find its way into the lexicon of IT leaders. But there is a problem. IT decision-makers have vastly different definitions of security culture, which makes it almost impossible to measure and work towards. At KnowBe4, we define security culture as the ideas, customs and social behaviours that influence an organisation’s security. A common definition makes it possible to discuss the same thing, in the same way. We all know that if you do not measure something, that something does not exist.
When it comes to security culture across the broader organisation, employees are even more in the dark. A quarter (25 percent) of office workers say their employer has not communicated about security culture at all and more than two in five (43 percent) office workers have never heard of the term security culture. Only a third of office workers (34 percent) say that their employer has communicated about security culture, and only a quarter say they are clear on what it means and their role.
How employees perceive their role is a critical factor in sustaining or endangering the organisation’s security. Employees must be educated on securing not only their professional but personal environments. What they learn and how they incorporate it into everyday behaviours and attitudes is completely transferable into their personal lives and will protect their data.
Building a strong and positive security culture is an effective mechanism to influence your users’ behaviour and, thereby, reduce your organisation’s risk and increase resilience. The question is, how do we go about it?
Historically, the IT department has been responsible for security awareness training. The attack vector has increased exponentially over the last 10 years with technological developments, increased internet speed, accessibility, the growth of mobile devices and, more recently, the move to remote working has meant that cybersecurity is literally on the move as we take our devices everywhere with us. As a result, the responsibility when it comes to cybersecurity has spread from IT to everyone in an organisation.
Over the years, the evolution of best-in-class security awareness training has included the following elements:
1. Continuous awareness, training and education for the cyber threat landscape.
2. An opportunity to apply what has been learned using simulated phishing (malicious emails) programs and assessments or quizzes.
3. Observable changes as they relate to secure behaviour.
The question we continue to hear globally and what keeps IT professionals such as yourself up at night is, “We are training our people and rolling out simulated phishing emails, which is great. We want to create a security culture and are unsure how to do that.”
There are a couple of elements to consider in order to answer to that question.
The first is that successful programs often include support from across the organisation, clear communication when it comes to the what, why and how, plus an understanding of the requirement of an ongoing, continuous approach to security awareness.
The second is an understanding of what is required to create a security culture. You certainly cannot buy it off the shelf. Every organisation already has a security culture, whether you like it or not. The challenge is to understand it as it stands today, define what you want it to be and go about making that happen.
At this point, take some time to reflect on your organisation and its current security culture. Consider the KnowBe4 Seven Dimensions of Security Culture as a great place to start, as it looks at the following elements:
1. What attitudes do you expect your people to have towards security?
2. What behaviours do you want to change or see?
3. Do your people have an understanding, knowledge and sense of awareness?
4. How do you communicate with your people and do they feel like they have a part to play?
5. Have you considered and included your people in your policies, and do they know what to do?
6. When it comes to the unwritten rules of conduct at your organisation, have you thought to include (cyber) security?
7. Lastly, and perhaps most importantly, as without it you are doomed to fail, do your people understand why cybersecurity is everyone’s responsibility and that they have a critical role to play?
Once you have an idea of where you are, it is time to consider, discuss and define what your organisation’s security culture should be.
In addition to answering operational questions like those above, the KnowBe4 Security Culture Survey provides indicators for reporting your organisation’s security posture to the board or executive team.
For more information, please see our Security Culture Report here: https://www.knowbe4.com/organizationalcyber-security-culture-research-report
No matter where you are in your security awareness journey, it is always a good time to focus on security culture. We have a long way to go to embed security into our daily routines. Perhaps we are one or two generations away from everyone thinking of cyber first, just as we do regarding sun safety in Australia with slip slop slap. Until then, please ensure you are applying best practices regarding security awareness with a focus on security culture..