Creating a strong culture of security within organisations


The importance of a strong cybersecurity posture is not a new concept. Data from the Australian Cyber Security Centre (ACSC) recently revealed that Australian businesses reported more than 2,200 cybersecurity incidents between July 2019 and June 2020. (1) Australian CISOs are inherently aware of how significant investment in cybersecurity strategies and technologies can help to bolster the protection of an organisation against cyberattacks, and the importance of reporting potential breaches. However, many overlook the importance of culture when it comes to cybersecurity, according to Fortinet.

Corne Mare, director, security solutions, Fortinet, said, “Business operations are increasingly moving towards the digital sphere, and having relevant technological support and a strong cybersecurity posture is critical to maintain and protect operations. However, neglecting the role that people play in maintaining cybersecurity can have significant impacts on the organisation’s security.”

The human element can be an organisation’s weakest link and its strongest asset in terms of cybersecurity. Weaving good cybersecurity practices tightly into organisational culture can help to reduce potential risks and vulnerabilities that cybercriminals can use to attack the business.

Corne Mare said, “Developing a strong cybersecurity culture is equally as important as deploying software solutions and technologies to protect systems from breaches. By prioritising regular training sessions for employees on cybersecurity approaches and tools, and distributing frequent updates on the changing cybersecurity threat landscape, organisations can essentially build a human firewall to complement a digital layer of protection.”

There are four ways organisations can create a strong culture of security:

1. Regular training sessions

Facilitating regular training sessions on cybersecurity processes and policies, conducting frequent mock phishing tests to assess employee awareness, and regularly engaging employees in the wider cybersecurity conversation can help to strengthen the cybersecurity culture in a company. When employees can recognise phishing attacks and understand the importance of strong passwords and multifactor authentication, for example, the organisation is just that bit harder for cybercriminals to successfully breach.

Corne Mare said, “Engaging all employees in the conversation around cybersecurity encourages them to follow best practices and develop good cybersecurity habits. This relieves the IT security team of the burden of managing the entire defence of an organisation’s information and spreads it among all employees.”

2. Creating a partnership approach among all teams in the organisation

Reducing the reliance on the cybersecurity team and supporting technologies reduces the risk posed by having passive employees who don’t understand the role they can play in keeping the organisation secure.

Corne Mare said, “To empower employees to be a more active part of the conversation, it’s essential that organisations can foster a collaborative partnership between the security team and other departments. While the security team acts as the expert as far as identifying and managing risks, other teams are critical in ensuring success by understanding expectations and following policies.”

Increasing this understanding can turn humans from being the weak link in the security chain to being a strong link.

3. Engage the right people in conversations

While it’s critical to understand that engaging the wider team in cybersecurity is key to building a strong cybersecurity culture, it’s equally important that organisations have the right people engaged to facilitate these conversations.

Corne Mare said, “Organisations often look for the most qualified individuals to join their team. While it is essential to have qualified professionals, especially in cybersecurity, it’s also crucial to have team members that are engaged in their work and eager to grow and learn with the changing cybersecurity landscape.

“When workers are more engaged in their subjects, they can foster stronger collaboration and conversation with other workers. This can drive the wider conversation effectively to help build a stronger cybersecurity focus with the wider team.”

4. Implement structures and policies

In addition to fostering greater collaboration and conversation between the cybersecurity team and other departments, it’s essential that organisations implement structures and policies to build a stronger barrier against threats.

Corne Mare said, “Keeping a balance between physical security measures and the human element is essential. Security teams will always have a need to implement defence measures such as anti-malware software, incident response and recovery plans, secure access points and access management policies, and data encryption. However, this needs to be balanced with substantial cybersecurity training for all employees, managing background checks for sensitive data access, and maintaining that conversation with the team.

“Keeping all employees updated on potential threats and vulnerabilities, and regularly reinforcing best practice, builds a cybersecurity ecosystem that everyone is responsible for. By keeping cybersecurity top of mind and continually engaging employees in the conversation, managers can ensure the organisation is vigilant for potential threats.”