Cybersecurity today is not only a technical challenge but also a human challenge - a matter of security culture. Criminals do not always only exploit technical deficiencies but often rely on people to access sensitive data and it is therefore the human factor that causes the most serious security breaches. Building and maintaining a strong security culture is therefore an extremely important part of cybersecurity work.
What is security culture?
Security culture is the shared values, conceptions, attitudes, knowledge and behaviour of individuals and groups in an organization focused on creating security in the business. Safety culture is about how employees' values affect the way they think and act in relation to risk and safety. It therefore has a great impact on how people work and influence employees on a daily basis.
What is a good security culture?
In a good security culture, everyone is aware of the risks and has both the knowledge and the will to contribute to reducing the risks through their actions. Security thinking is an obvious part of the business. In other words, the security culture has a great importance on how to work, prioritize and in different ways create the conditions for employees to work securely. Another thing that characterizes a good security culture in a workplace is that management prioritizes and handles security issues at all levels of the business and that they are part of the culture.
A good security culture reduces the risk of security breaches
According to NTT Security's Risk, Value Report 2019, it costs an average of EUR 3 million to recover after a security breach. For 2018, the figure was EUR 1 million, which means that the cost has increased dramatically. With a good security culture, you can minimize unnecessary security problems. This reduces the risk of major operational disruptions and high costs can be avoided in trying to repair the security breaches.
Young people are often less aware of the importance of security culture
According to a report from NTT Ltd, those under 30 are often the worst at security at a workplace. Millennials, ie those born between 1980 and 2000, have grown up with technology as a natural part, but that does not automatically make them more cybersecure, rather the opposite. For them, speed, productivity and flexibility are more important, and they often have a more relaxed attitude towards cybersecurity which actually makes them a ticking security risk. Making them aware of risks and teaching them how to work securely without becoming more inflexible are therefore priority measures.
How do we improve the security culture?
To improve the security culture, attitudes and behaviors must change. Organizations must see cybersecurity and security culture as a business-critical activity, and not as an isolated IT issue and management must prioritize the issue.
What should permeate the work with the security culture is to think of security as something that enables the work – it does not hinder it.
Some simple concrete steps that everyone can follow are the following:
- If you have something of value at home or in the workplace, you lock, have an alarm and keep track of who is allowed to come in. Do the same with digital information.
- Don't use the same password for everything - and preferably use two-factor identification when possible
- Remember to use a good password and never give out the password to anyone else
- Avoid browsing public Wi-Fi networks where security is not the best
- Do not click on links in suspected phishing emails and report to the IT department as soon as you suspect you have been subjected to a phishing attempt.
- Try to have regular boost sessions where you talk about security and remind yourself about what security policies that exist, and where you also go through the contents of these.
- Have updated devices - ie carry out all updates. The reason is that these updates contain security enhancements that you should of course be aware of.
Need help getting started with a better security culture at your workplace?
Welcome to contact us at Advenica. We have long experience in cybersecurity, know what is required and what procedures and processes you need to go through in order to create a strong security culture.