5 Keys to a Cybersafe Culture

In May 2017, a malicious cyberattack brought a large part of the UK’s National Health Service to its knees. Two years on, one would hope organizations large and small had got the message and cyber defences were winning the battle. Sadly, a recent report from the insurers Hiscox suggests otherwise.

The firm surveyed more than 5,400 SMEs and large businesses from the US, UK, Germany, Belgium, France, the Netherlands and Spain, and found that 60% of the firms reported one or more attacks – up from 45% in 2018. What is more, despite this, the insurer found the percentage of firms scoring top marks on cybersecurity had fallen.

In a recent article for the Wall Street Journal, Stuart Madnick, Founding Director of the Cybersecurity at MIT Sloan (CAMS), highlighted the growing danger from cybercrime and warned that the weakest link in the defence against it is people.

………………………………………………………………………………………………………………………

Join Stuart Madnick at MIT Sloan’s Cybersecurity Leadership for Non-Technical Executives for a holistic approach to managing cybersecurity-related risk

Dates: Jul 16-17, 2019 and Nov 14-15, 2019 │Format: In-class study

Location: Cambridge, Massachusetts

……………………………………………………………………………………………………………………

While too many companies assume cybersecurity is a technology issue, Madnick’s warning suggests otherwise. It is people that fall for ‘phishing’ scams (emails or messages asking for the reader to take some action, like download a file or click a link), people that send confidential files via email without password protection, download software not approved by the IT department, or share network passwords with colleagues.

Consequently, the key to building a cybersecure organization is to ensure the active engagement of non-technical managers and staff and to build a ‘cybersafe culture’ across the organization.

Madnick, his colleague, Dr. Keri Pearlson, and the Cybersecurity at MIT Sloan research team have interviewed many companies working towards just such a culture. Here are five of the approaches and actions that they have found most effective.

• Cooperation from everyone: At too many companies, cybersecurity is seen as the responsibility of the IT department. But cybersecurity requires the active efforts and cooperation of everyone in the business, top to bottom.

• Clearly designated leadership: Developing, supporting, and sustaining the cybersecurity culture requires strong attention and support from top management as well as a clearly designated manager and/or team who are responsible to help.

• Passive solutions: There are many security precautions that are relatively simple to implement because they require minimal, or even no, conscious action from the employee, such as segregating the network used by personal devices from the corporate network, requiring two-factor authentication to connect to the corporate network, and filtering suspicious emails into a separate folder.

• Active reminders: Madnick suggests borrowing from other successful efforts to change behaviour – like the signs at the entrance of many factories that read, for instance, “542 days since last industrial accident.” No one wants to be the person that brings that number back to zero. Companies should regularly remind workers how many attempted cyberattacks their organization had today, how many were successful, and whether the trend is improving or worsening. Another example: add a note to each incoming email that says, “This email has an attachment. Be sure you know who it is from before you open it. We don’t want to aid a cyberattack.”

• Make it engaging and fun: Creativity has its benefits. If your company can encourage cybersafe behaviour in ways that are fun, they will be more likely to stick. Madnick and his team have seen engaging and funny videos and songs that connect with employees; ‘cybersecurity superheroes’ who personify and promote the organization’s commitment to cybersecurity; and periodic phishing tests where the results are posted and rewarded.

In an environment of rising cybercrime, in order to get ahead of the hackers, cybersafety best practices need to part of everyone’s daily work processes. Success stories should be highlighted and encouraged. Cybersafety effectiveness should be valued and expected of employees and incorporated explicitly into performance and bonus reviews, and, to be well managed, cybersafety levels need to be measured.

In other words, say the MIT Sloan experts, “Cybersecurity needs to be a way of life.”