Creating a Culture of Cybersecurity

Cybersecurity is often associated with complex technology and skilled, technical experts. Technology and IT professionals are certainly one part of protective cybersecurity, but a strong culture of cybersecurity goes well beyond technology and security experts. Given that the average cost of a data breach is now approaching $4 million, cybersecurity is rightly being paid a lot of attention. CPA firms are also at particular risk given the high financial value of their data, and there are certain threats that specifically target CPA firms. As we’ve pointed out in previous blog topics, the best wall in the world won’t help if someone on the inside lets the intruder in through the gate. A culture of cybersecurity ensures that all staff understand their importance in keeping the company secure. At Cetrom, we focus on using the most advanced technology including artificial intelligence, offering 24/7 assistance, and employing skilled engineers, yet we continually emphasize to our clients that creating a culture of cybersecurity is one of the best things they can do to protect their company. Here are some of the suggestions we have for creating a cybersecurity culture.  

What is a Cybersecurity Culture?

Culture is mostly made up of the little things that often go unnoticed to people within that culture. In a society it can be things like how people are greeted or popular meals and even what eye contact symbolizes. Similarly, cybersecurity culture is made up of everyday actions and routines like how staff choose passwords and send information to each other and clients. Cybersecurity culture is also how emails are opened and answered, as well as the organization’s policies concerning remote work, web browsing, and data storage. Cybersecurity culture may seem mundane, but strong security is built on these simple fundamentals. Culture can be thought of as the end result of habits and mindsets. In order to change a culture, or create a new one, an organization and its members must pay careful attention to their everyday actions and routines. 

Five Tips for Creating a Cybersecurity Culture

Creating a strong cybersecurity culture needs to be based in simplicity, easy to understand and actionable requests, and clear reasoning and communication. The end goal is to eliminate barriers for staff in order to get complete buy-in around the priority of cybersecurity. Below are five of the ways that we at Cetrom have helped our clients create a culture of cybersecurity. 

1. Employees are the first line of defense: From C-suite executives to temporary interns, employees are a critical part of developing strong cybersecurity. According to “Kaspersky Daily,” at least 46% of cybersecurity incidents are caused by careless or ignorant staff members. Employees are the first line of defense, and put another way, they are the primary weakness. Learning how to spot a malicious email is a simple and highly effective skill for all employees. Employees need to know what they must do in order to keep the company and client data safe — the simpler the better. For example, emphasizing three key procedures like creating strong passwords, practicing safe email and browsing habits, and using data security best practices may prove more effective than overwhelming staff with a laundry list of security practices. Employees also need to be supported through cybersecurity training, access to two-factor authentication, and adequate technology. Make it clear to employees that their web-browsing, email, and data habits are critical to your firm’s cybersecurity success — and what’s more, show them what you expect through cybersecurity training courses.  
2. Develop & implement cybersecurity training courses: Cybersecurity training provides the foundation for norm and habit changes. Often, employees are focused exclusively on succeeding at their job, and cybersecurity and data security take a backseat to speed and ease. Without proper training, it’s easy to develop dangerous cyber habits. Cybersecurity training needs to be part of every employee’s onboarding procedure and should be done multiple times a year. At Cetrom we offer customized training, but at a minimum training needs to address: email best practices; data security procedures; spotting common scams like phishing and malware; emerging cyber threats; building strong passwords; staying secure while working remotely or on mobile devices; and recognizing and communicating threats. In addition to implementing training, testing your training is an essential part of creating a culture of cybersecurity. 
3. Test your training: Training is only as good as its end result. Like a competition can highlight the impact of practices, testing your training helps ensure its effectiveness. Testing your cybersecurity training allows you to get a real time look at current weaknesses and strengths. Within employee training, tests can be as simple as questions about key training concepts and not allowing employees to move on until they pass. Tests can also be broader and more in-depth, like mock email scams, data security probes, or an assessment of employees’ password strengths. It’s often best to have the test administered by an objective party that will actively try to exploit weaknesses in the system. Tests are key to gauging employee buy-in and habits, while making security the easy choice helps ensure you’re setting employees up to succeed. 
4. Make security the easy choice: Like stocking a house full of fruits and healthy meals makes healthy eating the easy choice, structuring your firm's systems and policies to reinforce cybersecurity makes security the default choice. Broadly speaking, consistent education, reminders and reinforcement help build secure habits. Security should be baked into your firm’s practices through password expirations, strong email and browser filters, and enterprise-level security. Have specific company policies that reinforce security like web-browsing rules, email best practices, and remote work policies. Employees should confirm their agreement with these policies. The digital security experts at Norton recommend cybersecurity compliance programs that require changing passwords frequently and updating key applications. Pave the way for employees to practice good security, and finally, inspire ownership over the process and results. 
5. Inspire ownership — data security is an all-hands effort: Be sure employees know what they need to do and how important their role is for strong data security. Some companies will provide incentives (like cash, gift certificates, and PTO) for good data security practices and for taking the extra step to keep data safe. Many organizations are making data security and other cybersecurity practices part of employee and department evaluations. Ownership means benefiting when things go well and struggling when they go wrong. Inspiring ownership makes it clear that cybersecurity is shared by all employees.   

What’s the Bottom Line?

At Cetrom, we certainly believe in and actively use advanced technology and capable engineers. But we also recognize the importance a company’s culture plays in avoiding cybersecurity incidents and data breaches. It’s why we offer frequent employee training, system testing, and around-the-clock support. Even if your company isn’t quite ready to upgrade your security to a cloud-based solution, improving your firm’s cybersecurity culture is one of the most proactive steps you can take to improve security. As a starting place for creating a stronger culture of cybersecurity, focus on the everyday habits, implementing long-term institutional change, and building a culture where security is the easy, default choice. If you have questions about how to create a culture of cybersecurity at your specific organization or how to take the next step toward better security, contact Cetrom today.