Establishing a Culture of Cybersecurity in Your Organization 

“As cybersecurity leaders, we have to create our message of influence because security is a culture and you need the business to take place and be part of that security culture.”

— Britney Hommertzheim, Business Information Security Officer (BISO) for Cardinal Health

\

What is the leading cause of data breaches for small businesses? If you guessed inadequate firewalls, bad configuration management, or poor systems administration, you’d be incorrect.

According to the Data Breach Investigations Report, Verizon found that human error accounted for 85% of all data breaches in 2021. That may sound like bad news, but there is a silver lining to the dark cloud. Knowing the main cause should encourage small business owners to adopt the practices needed to better secure IT assets going forward.

Before you get worried about the perceived massive costs needed to bring your small business into cybersecurity compliance, understand that you don’t need to make a deep investment in new security products or re-engineer all your cybersecurity implementations. Small businesses can eliminate most data breaches simply by investing time and effort into educating system users on best security practices. Providing practical instruction on the dos and don’ts of cybersecurity is the first and most important step toward developing a culture of good cybersecurity awareness across your enterprise.

It is much easier to develop a culture than to change one, just as any cybersecurity solution is more effective when implemented during your network engineering and development phases rather than after the fact. An effective cybersecurity culture takes hold more quickly if it is ingrained from the beginning.

If you own or work for a startup, it’s essential to focus on cybersecurity from inception. Hiring a cybersecurity professional with experience in developing training programs is a must. If you’re past the startup stage and find yourself trying to instill a robust cybersecurity culture, you need to invest time and effort into training (and possibly reprogramming) your workforce and the way they look at cybersecurity.

The availability of training and its emphasis on importance must underpin any effort to instill a strong cybersecurity culture. Developing or obtaining cybersecurity training for every staff member is a must. Requiring a baseline level of demonstrated cybersecurity knowledge for every system user must be a foundational standard within your program. Emphasizing the value of cybersecurity through your words, investments, and requirements demonstrates to your employees the culture you are putting in place and its importance.

Once you establish a baseline, it’s essential that your employees continuously evolve their understanding of cybersecurity. Just as the threat evolves and grows, training must keep in lockstep. There’s a need to continuously evaluate your program and training to ensure they effectively keep pace with the threat environment.

Concurrently, a small business must continuously test its employees. At a minimum, you need to establish annual training requirements for every user (with the training commensurate with the user’s role) and make continued access conditional on successful completion. It is also an industry best practice to run unannounced exercises on a semi-frequent basis. Develop and send suspicious (but innocuous) emails to users, measure and document their reactions, and train and retrain them appropriately as their responses dictate.

Finally, a small business owner should lead by example. An effective leader understands the need to demonstrate the behavior they wish to see from their employees. Words matter. Constant communication from leadership to the workforce on the importance of taking security seriously, news about the latest threats, and updates on how the company is investing in cybersecurity are invaluable pieces in developing a culture of strong cybersecurity.