Despite investing more in cybersecurity every year, organizations continue to experience substantial losses from cyberattacks. A recent NIST report estimates the economic impact from cybercrime in the United States is between 0.9 and 4.1 percent of gross domestic product.
Although security technology continues to improve and cybersecurity programs are maturing, staying ahead of adversaries is increasingly more challenging. Threats are evolving in scope and scale, and threat actors are working hard to become even stealthier.
Defending against today's sophisticated cybercriminals requires more than firewalls and antivirus software. While these methods worked as an effective approach in the past, they are no longer sufficient on their own. So, even if you have the latest tools, a weak security culture puts your organization at risk.
You need to develop and maintain a culture of security that empowers employees to defend against cyberattacks. And a strong security culture requires buy-in from everyone across your organization—starting with leadership and continuing all the way down to frontline employees.
How to Build a Culture of Security
1. Understand what you're trying to protect and the potential threats you face.
How can employees protect something when they don't know what needs to be protected? They need to understand what information is sensitive and why it's important to protect it. Employees should also understand the tactics that cybercriminals use to gain access to information.
Phishing, for example, is a common attack vector, and is often leveraged during multiple stages of an attack. Globally, the number of phishing attacks doubled in 2020, according to the Anti-Phishing Working Group. And in the United States, nearly three-quarters of surveyed organizations said they fell prey to a successful phishing attack in 2020.
One study found that 45 percent of phishing emails which impersonate a brand involve business-related applications like Zoom, Microsoft, and DocuSign. This indicates that threat actors specifically target employees directly.
2. Understand how individuals can impact the entire organization.
A mistake as simple as clicking on a link in a phishing email or being tricked into giving out login credentials to a social engineer can let cybercriminals infiltrate your network. Educate employees about the important role they play in protecting the organization from cyberattacks, and make sure they understand how their choices directly impact security.
Consider the example of Australian hedge fund Levitas Capital. The company went out of business in 2020 following a phishing attack on one of its co-founders.
The co-founder received an email masquerading as a Zoom invite, and clicking on the link resulted in a malware download. This gave the attackers control of the email system, and they generated more than $8 million in fraudulent invoices from legitimate vendors. As the last step, they spoofed the co-founder's email to approve those invoices and receive the funds.
Although scammers can be especially clever and these types of emails often look authentic, educating your employees about phishing and other threats can help prevent these kinds of incidents.
3. Provide ongoing security awareness training for employees.
As noted above, your employees need to develop the knowledge and skills necessary to defend against cyberattacks. This includes learning to identify suspicious behaviors and how to respond to them. But security awareness training should not be treated as an annual event.
Ongoing training not only keeps security top of mind, but it also provides an opportunity to educate employees about the latest tactics employed by adversaries. The bad guys continually dream up new ways to attack and evolve their techniques. They also capitalize on the latest trends and global events to ensure their messaging resonates with recipients.
Think about the pandemic and how cybercriminals pivoted to make it a prominent theme for phishing, as well as take advantage of the opportunity to target remote workers. Researchers found that thousands of new coronavirus-themed malicious domains popped up daily as soon as COVID-19 began to spread worldwide. If you limit security awareness to an annual event, you simply cannot react to changes that occur in the threat landscape.
4. Have regular discussions about threats.
Make security awareness an ongoing topic of conversation in your organization. Employees should learn how your IT or security team managed to keep out attackers, as well as hear about the times when hackers were able to achieve their objectives. Use these anecdotes to illustrate how employees' day-to-day actions help prevent security incidents, and conversely, how a wrong step puts the entire company in jeopardy.
Honest discussions that include takeaways from security incidents help drive the message home rather than making security an abstract IT concept that doesn't impact employees. These conversations also provide an opportunity for employees to have a voice and find answers to questions they have.
5. Welcome escalations.
Yes, some reported incidents will be false alarms, and employees all come from different backgrounds with different levels of experience when it comes to identifying threats or understanding technology and the importance security plays in their role. But no matter how ‘silly’ the question is they ask, security should always be a ‘no-shame zone.’
The last thing you want to do is embarrass an employee over a security question or for their lack of knowledge, because embarrassing them will only lead to the covering up of possibly dangerous incidents. It is much better to encourage a safe environment where mistakes, uncertainties and potential threats are always welcomed to be reported and employees are left with a feeling of being helpful and receiving help.
As employees develop a gut feeling about red flags and a better understanding of security, they will catch attackers in the act more often as well. When employees report suspicious activity, you need to acknowledge them for being careful and alert and inform the person reporting it of the outcome of the investigation. This lets employees know that you value their role in keeping the organization safe.
Employees want to be part of the solution—make sure they have a positive experience when they report a problem.
6. Lead by example.
Building a culture of security starts at the top. Managers and executives need to model the behaviors and attitudes that they want their people to adopt. Employees notice when leaders have a “do as I say, but not as I do" mindset. Because if your organization’s leaders don't take security awareness seriously, why should anyone else?
Leaders can help foster a culture of security by helping:
Promote the idea that security is everyone's responsibility.
Demonstrate that security is their personal priority.
Encourage an approach that rewards good behavior rather than punishing risky behavior.
Support security initiatives with adequate funding and resources.
Champion the importance of security awareness across the entire organization.
Embracing Security Awareness
Technology only goes so far in terms of protecting your organization in today's environment. Building a culture of security is essential for defending against cyberattacks. When security belongs to everyone, not just the IT team, you empower employees to play an active role in keeping your company safe.
Arctic Wolf® Managed Security Awareness helps organizations build a strong security mindset for all stakeholders. Delivered as a concierge service, the employee-centric security awareness training solution addresses the most common threats at the point of attack. With Arctic Wolf, you can empower employees to identify risks, recognize threats, and avoid mistakes that could expose your organization's sensitive data.