We’ve all heard horror stories of cyberattacks on businesses, and they are not just tales to be told in hushed tones around a campfire; they are real, they are terrifying, and they can have devastating consequences.
One of the most terrifying tales comes from the healthcare sector, where a hospital in California fell victim to a ransomware attack. Hackers managed to shut down the internal computer system at Hollywood Presbyterian Medical Center for over a week, encrypting protected patient files, emails, billing, and other sensitive data. The hospital was left with no choice but to pay a $17,000 ransom in Bitcoin to regain access to their files. This incident highlights the crippling effect a cyberattack can have on critical infrastructure and the lives dependent on it.
Information security risks and threats, such as viruses, spyware, ransomware and phishing, are an increasingly significant issue for businesses today. In 2023, three in four companies in the United States were at risk of a material cyberattack, according to chief information security officers (CISO). Global cybercrime costs are projected to soar from $9.22 trillion in 2024 to $13.82 trillion by 2028, Kiteworks research has revealed. In the United States alone, these costs are forecasted to exceed $452 billion in 2024.
In nine out of ten cyberattack incidents, the criminals gain access using social engineering, often by using stolen credentials gained through phishing or by planting malware in email attachments. Weak information security culture has led to unwanted exposures of personal sensitive information of billions of individuals worldwide, and information security attacks are a major concern. In the US, a typical data breach now costs a company $7.91M (IBM 2018 Cost of a Data Breach Study). Not surprising then, that as many as 60 percent of small and medium-sized businesses reportedly go out of business six months after having been hacked.
In a time when data breaches and cyber threats are increasingly common, establishing a strong security culture within an organization is not just beneficial; it's imperative. By the year 2030, a significant shift in how enterprises manage cybersecurity risks is expected. Gartner projects that 80% of enterprises will have formally established and staffed human risk management programs, a substantial increase from just 20% in 2022. Such programs include training, behavior monitoring, and policy enforcement to minimize risks from insider threats, social engineering, and unintentional breaches.
Moreover, by 2030, widely accepted cybersecurity control frameworks will focus more on measurable behavior change than on compliance-based training as a key metric for the efficacy of human risk management.
A corporate security behavior and culture program (SBCP) is essential for safeguarding sensitive information and maintaining trust with stakeholders, especially when the human element is the cause of 74% of breaches according to the 2023 Verizon Data Breach Investigations Report.
What is security culture?
According to security company KnowBe4, security culture is defined as the ideas, customs, and social behaviors of a group that influence its security.
Security culture is a collective responsibility of all members of an organization. A robust security culture aligns with business objectives, fostering an environment where security is viewed as integral to success, not just a regulatory requirement. The benefits of a strong security culture include heightened employee engagement in security matters, increased compliance with security measures, reduced risk of incidents, and an overall sense of safety among staff. It's a proactive approach which protects an organization from potential threats and breaches by cultivating a vigilant and informed workforce.
The seven dimensions of security culture
In its research paper, KnowBe4 describes the seven dimensions of security culture that can be adjusted within your organization to have a more secure data environment.
- Attitudes: The feelings and beliefs that employees have toward the security protocols and issues.
- Behaviors: The actions and activities of employees that have direct or indirect impact on the security of the organization.
- Communication: The quality of communication channels to discuss security-related events, promote sense of belonging, and provide support for security issues and incident reporting.
- Norms: The knowledge of and adherence to unwritten rules of conduct in the organization, i.e. how security-related behaviors are perceived by employees as normal and accepted or unusual and unaccepted.
- Cognition: The employees’ understanding, knowledge and awareness of security issues and activities.
- Compliance: The knowledge of written security policies and the extent that employees follow them.
- Responsibilities: How employees perceive their role as a critical factor in sustaining or endangering the security of the organization
The best place to start is to evaluate your organization against the seven dimensions of security culture and measure it against your industry’s benchmarks.
Expert tips to create an effective SBCP for your organization
You can build a robust SBCP that not only protects your organization from threats but also fosters an environment where security is a shared value and priority.
- Leadership commitment: The foundation of a successful SBCP is the commitment from the top. Leaders must not only endorse the program but also actively participate in security initiatives. This sets a precedent for the entire organization and underscores the importance of security in the corporate culture.
- Comprehensive policies and procedures: Develop clear, comprehensive security policies and procedures tailored to your organization's needs. These should be based on a thorough risk assessment and should cover all aspects of security, from physical to cyber.
- Regular training and education: Invest in regular training programs to keep employees informed about the latest security threats and best practices. Include cybersecurity education as part of the onboarding process for new hires to instill security awareness from day one.
- Promoting shared responsibility: Foster a culture where security is everyone's responsibility. Encourage employees to take ownership of their actions and understand how they contribute to the organization's security posture.
- Rewarding positive behavior: Recognize and reward employees who exhibit strong security behaviors. This not only motivates individuals but also promotes a positive security culture throughout the organization.
- Continuous monitoring and auditing: Regularly monitor and audit your SBCP to ensure its effectiveness. Use the findings to make necessary adjustments and improvements.
- Communication and collaboration: Ensure that there is open communication about security matters within the organization. Encourage collaboration between departments to share knowledge and best practices.
- Adaptation and flexibility: The threat landscape is constantly evolving, and so should your SBCP. Be prepared to adapt your strategies and policies to meet new challenges and threats.
- Incorporating behavioral science: Consider incorporating behavioral science principles into your program. Understanding the psychological factors that influence security behavior can help in designing more effective interventions and training. Techniques such as nudge theory and behavioral economics are helpful in guiding employee behavior subtly yet effectively.
- Creating an adaptive security culture: A strong security culture is not static; it evolves. Continuously seek ways to integrate security into the fabric of the organization's daily operations and decision-making processes.
Remember, the goal is to create a culture where security becomes second nature to every employee, contributing to the overall resilience and success of the organization.
Common roadblocks to security behavior programs
One of the most significant obstacles in the way of a successful SBCP is securing executive buy-in and management commitment from the top down. Leadership support is crucial for the allocation of resources, prioritization of security initiatives, and fostering a culture of security awareness throughout the organization. Without it, security programs struggle to gain the momentum needed for impactful change.
To address this challenge, it's essential to communicate the value of security behavior programs. This involves translating security risks into business risks and demonstrating how a robust security culture can protect the organization's bottom line. Presenting case studies, industry benchmarks, and potential ROI can also be persuasive.
There could also be a lack of expertise in behavioral science and insufficient data analytics capabilities amongst your IT staff. Many organizations struggle with the integration of automation into their SBCP, which is crucial for scaling the program effectively. Additionally, there is frequently a need for improved communication strategies to engage employees and foster a security-minded culture within the organization.
Establish clear metrics to measure the effectiveness of security behavior programs and use these insights to drive continuous improvement. Foster a community of practice among security professionals to share best practices, challenges, and solutions. Leverage technology such as Artificial Intelligence (AI) to automate routine tasks, freeing up security professionals to focus on strategic initiatives and personal development. AI systems can analyze vast amounts of data to identify patterns and anomalies that may indicate a security breach, providing real-time threat detection and response.
By understanding these challenges and implementing targeted strategies, organizations can enhance their security posture and create a resilient and aware workforce.
Navigating the complexities of security behavior programs requires a multifaceted approach, but with persistence and strategic action, organizations can foster a culture of security that not only protects but also empowers. Alithya is here to help answer any questions you may have about establishing an SBCP at your organization. Contact us to discuss.