How to Build a Cybersecurity Culture
Are you tired of seeing your papier-mâché network defenses torn to shreds? Do you wish you could fake your way through yet another audit, but fear being exposed by a data leak? Are hoodlums in Adidas clothing using your IT infrastructure as their own personal cloud? Well, tough. Cybercriminals are here to stay and your security budget isn’t getting any bigger. (Case in point: from 2019 to 2020, security budgets for enterprises decreased from $18.9 million to $14 million.) You are left with one option: learn to handle it like a pro.
And to do that, you need what experts in the IT community like to call a cybersecurity company culture.
What is a Cybersecurity Culture?
While the idea of a company culture often is associated with ideas like free food, shortened Fridays and fancy gyms, it also has a lot to do with what your company—and your employees—value. Simply put, one of those values needs to be security, because the truth is every employee plays a role in keeping your company safe from cybercriminals.
In 2020, IBM X-Force Incident Response and Intelligence Services (IRIS) found that phishing was still the number one infection vector, and, in the first quarter of 2021, nearly 50% of all email traffic was spam. Among this spam were 38,195,315 malicious mail attachments. Now, these malicious attachments and phishing emails aren’t just being sent to the security pros in your organization. Anyone in your company is fair game, including your executives. What’s worse, sometimes these attachments are just the first stage in highly sophisticated, complex cyberattacks. Advanced threat actors may use phishing as an initial infection vector, and, of course, phishing can play a major role in the attacks dominating the headlines these days—ransomware. REvil, one of today’s most notorious ransomware gangs—the group that held Acer’s information for a record $50 million ransom—uses phishing as one of its primary methods for distributing malware.
Then there was the recent Colonial Pipeline ransomware attack, which took down the largest oil supplier in the U.S. for several days. How did the attackers gain an initial foothold in the system? A single compromised password for a VPN account that provided access to the company’s corporate network.
All of this is to say that security responsibility doesn’t just fall on the shoulders of your IT technicians. It falls to your managers, your C-suite, even that guy that didn’t get a raise for five years—really, anyone with an email account. Even those people in HR and accounting who are literally paid to open email attachments all day; you can’t expect them to get it right 100% of the time, because it’s hard and they won’t. Just as you can’t solely rely on sophisticated security solutions to get the job done (although, a strong endpoint protection platform is indeed a good place to start).
How to Build a Culture of Security
That’s the bad news. While cybersecurity often seems like an industry that solely traffics in fear and anxiety, we do have good news from time to time. And the good news is that we’ve learned a lot from the mistakes of the past few years. Even better, we know that it’s entirely within your power to change things; to build security into your everyday processes and get your team on board. It’s honestly as simple as proper security awareness training. Think about it: how can your team stay ahead of the threats if they don’t actually know what they are? Yet, a recent study by Kaspersky found that nearly two-thirds of employees hadn’t received any kind of cybersecurity awareness training since they made the transition to remote work. We get it: staying focused while working from home can be hard enough, and company-mandated training doesn’t exactly scream ‘Fun!’ However, here’s where there’s more good news from the security community. New technology like virtual reality (VR) gives you the ability to not only learn about the evils of phishing, but also make doing so a good time.
There are many reasons to add gamification into the workplace, particularly when it comes to security awareness. Why? Because then, not only do you get to test your skills against security scenarios that are all too common, but it raises the stakes of the learning process (albeit in a minor way). No one likes to lose. Even better, it makes training far more enjoyable. After all, let’s face it, when you can combine “fun” with network takeovers, it’s a lot easier to get your team on board with building a company culture around security.
VR has the ability to take gamification to another level by providing total immersion in the testing scenarios, leading to greater engagement and better learning outcomes. In fact, a study at the University of Maryland found that using VR headsets can actually enhance recall accuracy.
Imagine a gamified, immersive experience where you’re working your way through a virtual reality interactive protection simulation. In it, you play the role of a despondent IT security guy with zero sway over the administrative board and are tasked with rooting out multiple threat actors who have been with the company so long they have seniority. Armed with limited financial means and the power of wishful thinking, you deploy insecure software, blame your ineptitude on interns and face user backlash as you enforce dubious countermeasures in a realer-than-life virtual universe.
Technology like this—and really any “gamified” training—lets you and your managers briefly forget about the incidents taking place in your network and experience the despair of a total IT takeover in a safe environment. That way, you can learn how to devise a sound crisis communication plan as your customer data vanishes or figure out which selective paper-trail policy will provide the greatest amount of plausible deniability, all in a way that will make the lessons stick—no boredom required.
To make a long story short, you can be the hero your company deserves, and, at long last, you can turn your managers into the amateur security pros (or pro-security amateurs) they were meant to be. You have all the tools you need to build a strong cybersecurity culture at your disposal.
The first step is simply recognizing that security has to be a priority. The next is recognizing that cybersecurity isn’t all doom and gloom—or repetitive, incomprehensible lines of code on a computer screen.
Have I convinced you?