Good cybersecurity in business is everyone’s responsibility, according to a recent article published by the World Economic Forum (WEF) and penned by Zurich Insurance Group’s chief information security officer, Paige H. Adams.
Not everyone needs to be an expert, but cyber security awareness training is vital
Cybersecurity leaders, says Adams, are also business leaders “working to protect data without business interruption.” Though “cybersecurity challenges are daunting” and not everyone is a cybersecurity expert, they don’t need to be. The most important factor in a combined fight against cybercrime is:
“Those with the primary responsibility for cybersecurity in an organization communicate risk effectively among their colleagues and across the business.”
Creating a culture of cybersecurity to fight cybercrime
Adams says incorporating cybersecurity into a corporate culture will help to reduce risk and increase resilience against cyber-attacks. A culture of cybersecurity is the 10th point in a guide to dealing with cybersecurity challenges published by WEF titled “Cybersecurity Guide for Leaders in Today’s Digital World.”
Zurich Insurance Group uses a risk-based framework that helps to achieve a cybersecurity culture. Adams says:
“Its Integrated Information Security Baseline (IISB) unites security efforts across the global organization and helps business leaders – business unit CEOs, COOs, CFOs – to better understand and manage critical cyber-risks.”
And, that creating a cybersecurity culture is not about making every employee an expert. But, instead about creating understanding of risk across an organization, making cybersecurity a top-level dialogue, creating security awareness, implementing engaging training and even using gamification, prizes, and fun quizzes, and creating open channel of communication so informed employees can report risks.
Why is security awareness training essential for everyone?
Firstly, Adams points to the well-iterated problems that make it essential for every employee to have knowledge of cyber risk and security awareness training. Adams says:
“Nearly all individuals in an organisation have access to information that is valuable to cybercriminals.”
And, data breaches can be “enabled by unintentionally risk behaviours” such as weak passwords and poor login practices. She adds:
“The bulk of today’s cyberthreats achieve their goal through humans and the targeting of individuals.”
Particularly individuals are targeted by phishing attacks, made more effective by social engineering.
Indeed, as many as 99% of cyberattacks rely on human interaction to work and that’s often an unwitting employee reaction to an attack. Individuals really are the last line of defence against many attacks and its often security awareness they can utilise in their daily activities that can empower this defence.
Making cybersecurity training fun for best effect
Secondly, Adams shares her points for making a cybersecurity culture more robust, starting with creating a framework for managing risk that can be communicated across an organisation. CEO’s should be part of cybersecurity dialogue as if a CEO talks about phishing awareness this will filter across all levels of a business.
– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.
The Zurich Insurance Group CISO suggests:
“Creating a security instruction and awareness function and appointing a senior leader responsible for running security awareness campaigns and overseeing security training.”
Also, that incentive programs could work to reinforce positive cyber security behaviour in the workplace:
“For example, phishing simulation training could be made more enjoyable through gamification and small prizes for those who report the most phishes.”
As well as mandatory annual training:
“You can also find ways to make engaging, bite-sized security training available throughout the year. This can be delivered through fun quizzes, cartoons or security-focused webisodes.”
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
Communication channels are also vital, according to Adams. Both for reporting suspicious activity and for a constant reminder of cybersecurity risk to ensure it is kept “top of mind.”
“Company newsletters, blogs, digital signage and posters are all good venues for promoting anything from a cybersecurity tip of the day or slogan, to an interview with a top company executive on the topic of cyber fraud.”
Adams concludes by saying every person in a company or organization is a “security champion” and has a responsibility to support a company’s cybersecurity team.
As we offer security awareness training and phishing simulation training here at The Defence Works we happen to agree wholeheartedly with Adams and the WEF. We also know that cybersecurity responsibility may end with a CEO, but it is certainly the tenet of every role within a company today. In the same way that retail workers have a responsibility to look out for, prevent and report physical theft, every employee in any technology using business must make sure that digital threats are identified and dealt with to the best of their knowledge.
We know security awareness training needs to be quick, simple, and fun, so we use real-life scenarios and role play, as well as interactive episodes and comedy sketches.
Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.