What are the most significant security risks facing your organization? Your answer might include common external threats, such as brute force attacks, phishing attacks, ransomware, supply chain attacks, and attacks against vulnerable software, among many others. But the focus on external security risks misses an important point: External attacks often exploit vulnerabilities created by poor internal security controls and practices.
According to the 2021 Verizon Data Breach Incident Report, 85% of breaches involve a human element. Brute force attacks succeed when employees use easy-to-guess passwords. Phishing attacks succeed when employees click on malicious links in emails from unverified sources. These risks can be mitigated when your organization integrates information security practices into all elements of its organizational culture.
An organization with a dedicated information security culture aims to mitigate internal risks by giving employees the knowledge, support, and motivation to follow information security policies and procedures.
What is Security Culture?
Culture is the norms, values, and attitudes shared by a group. These factors matter because they influence behavior—people act according to their beliefs and incentives. A security culture is one in which norms and values are aligned with information security policies and best practices.
In more concrete terms, that means:
- Employees understand the security threats relevant to their role and what they can do to mitigate risk.
- They feel supported and encouraged to report security threats and vulnerabilities.
- They believe the business prioritizes security relative to other values, such as efficiency.
- They feel encouraged to help colleagues and employees they manage to be more secure.
- Security is a significant component of business communication, onboarding, and training.
A security culture encourages employees to make information security part of their day-to-day activities and rewards them for doing so.
How to Foster a Positive Security Culture in Your Organization
A positive security culture doesn’t arise organically; businesses must make a proactive effort to foster a security culture within their organization. Let’s consider four ways your company can begin to lay the foundations of a positive security culture today.
1. Create Simple, Transparent Information Security Policies
Information security policies and the procedures built on them are the foundation of an effective security culture. But it’s not enough to write security policies. They must also be communicated to employees, enforced within the organization, and supported by organizational structures.
For example, there is little benefit to implementing a vulnerability reporting policy if:
- Employees don’t know who to report to.
- There is no system in place to act on reports.
- Employees receive negative feedback for reporting.
- Security policies and procedures are too technical for employees to understand.
A thriving security culture is a holistic endeavor where employees and managers work together to implement security policies. Policies only support a security culture if they are accessible, achievable, and endorsed by leaders at all levels of the organization.
2. Empower Employees with Security Awareness Training
Without training, many employees—especially those in non-technical roles—lack awareness of security threats and the knowledge required to mitigate risk. Lack of security awareness is the root cause of many security incidents. Around half of all security breaches are the result of employee error.
To take just one example, 61% of breaches used authentication credentials that were shared, leaked, or otherwise exposed to the attacker. Security awareness training can significantly reduce this and many other security risks by helping employees to understand the threat and their role in mitigating risk.
3. Make Information Security a Company Priority
If information security isn’t a priority for managers, it won’t be a priority for employees. Many of the biggest security breaches of recent years were caused, at least in part, by a company’s unwillingness to focus on and invest in security.
There is a short-term cost to improving security, which some companies would prefer to avoid. However, security breaches cost businesses an average of $4.24 million. The long-term costs of a major security breach far outweigh the cost of an ongoing investment in fostering a positive security culture.
4. Reward Employees for Contributing to a Positive Security Culture
Effective security cultures are based on positive reinforcement that encourages employees to follow security best practices. People are more willing to devote time and effort when they are rewarded for doing the right thing than when they are punished for making mistakes.
There are many ways a company can reward secure behavior. Security awareness experts at the SANS Institute recommend public recognition. Use security-related communications such as newsletters to praise employees for reporting vulnerabilities and following security best practices. Managers can implement the same incentives by highlighting security issues and praising employees for improving security throughout the organization.
KirkpatrickPrice Helps Businesses to Achieve a Positive Security Culture
KirkpatrickPrice offers information security services to help businesses improve their security culture, including:
We also offer a comprehensive range of security compliance audits for SOC 2, PCI DSS, HIPAA, FISMA, and more. To learn how KirkpatrickPrice can help your business to strengthen and verify security and compliance, contact our information security specialists.