Security Starts from Within: How to build a security culture in your business

Security Starts from Within: How to build a security culture in your business

Each year there are new attack vectors, hacking tools and vulnerabilities that put businesses at risk of a cyberattack. In the early 2000’s the most common cyber-attacks were computer worms that propagated through email spamming. Fast forward to 2021, and the last year has seen the massive rise of ransomware attacks. Regardless of the current trends in attack vectors, if a business has a strong security culture it decreases the chance of falling victim to an attack.

What is a security culture and what are the benefits?

A security culture is a set of values shared by all employees of an organisation that shape how individuals and the company approach security. This culture aims to decrease the chance of a business falling victim to a cyberattack, by ensuring that employees understand the fundamentals of cybersecurity, the importance of strong security and including cybersecurity as a core value of a business.

The obvious benefit of building a security culture within a business is that it will decrease the risk of a security incident. However, it also leads to more engaged employees, both with security and the wider business, and it is a method of increasing security without needing to outlay significant monetary investment in cybersecurity.

How to build a security culture within your business

Provide Employee Education and Training

A large part of a security culture is employee education and awareness of cybersecurity fundamentals. A business cannot expect employees to report a threat or unsafe behaviour if they do not understand the cybersecurity threat landscape, or best practices. When implementing education and training it should be a constant process to ensure employees retain the information and it should be delivered in an engaging manner. The training should include common attack methods and how to recognise them, the potential cost of a data breach or cyberattack and the policies and procedures to follow if employees believe they have detected an attack attempt or breaches of policy.

Deploy Regular Tests

To ensure employee training is effective, it is best practice to run regular security awareness tests. These may be short online quizzes sent monthly or quarterly, both to assess employee knowledge, and to remind employees of the importance of cyber security. Another method of testing is to simulate a phishing attack. This is an effective testing method as it shows if employees are constantly looking for potential attacks and if employees would fall victim to a real cyberattack. Finally, for a more comprehensive test of overall security, penetration testers can be hired to see if they can gain access to a network using real hacking and social engineering techniques.

Leverage Technology

Training and testing alone will not stop all attacks. At some point employees will make a mistake, or a business may be targeted with complex and difficult to detect attack. For this reason, it is important to have technology in place to stop potential phishing or malicious emails landing in inboxes and stop ransomware attacks in their tracks. Mimecast uses AI to block suspicious emails and has cloud-based web protection at the DNS level to stop malware. Through Mimecast it is also possible to run security awareness training to continue to build a security culture within an organisation. Similarly, even if an employee falls for a ransomware attack, Acronis Cyber Protect can automatically revert to a clean version of the system to decrease downtime and ensure that a business does not lose significant data or money recovering from an attack.

Reward and Recognise Wins Without Shaming Fails

Through both testing and real attacks, there will likely be situations where employees react perfectly and recognise and report an attack, and there will be times where employees make mistakes and fall victim to an attack. When employees recognise and report a potential attack, they should be rewarded for doing so and the success story should be shared with the rest of the business, as it shows the organisation’s commitment to security. Conversely, if an employee fails an internal test, or falls victim to a cyberattack, it is important to not shame them for making a mistake, but rather continue training to ensure it does not happen again.