Cyberattacks aren’t going away any time soon. Rather, we should expect such attacks to only increase in frequency. That means the real question is how do organizations provide more effective protections for their employees, partners, and customers?
We need to start with the fundamentals. One frustrating fact is that even strong security features continue to be undermined when organizations fail to do the basics. By basics I mean steps such as patching known security flaws promptly, mandating strong passwords, adding two-factor authentication for network access, and training people on how to identify and avoid phishing attacks.
The good news is that strong leadership can address this range of problems caused by overlooking the basics. The solution is building a sustainable security culture, no matter how large or small the size of your organization. To solve cybersecurity problems means driving organizational change. And security leaders cannot be drivers of change without a firmly established security culture as a foundation.
Building a sustainable, security-first culture
A security-first culture starts with a clear understanding and acceptance that security is everyone’s responsibility. From the newest employee to the Chief Security Officer, a strong security culture means everyone embracing the fact that they have a role to play in keeping the organization secure.
That role starts with everyone adopting a security mindset. That means taking the time to consider the security implications of every action, whether it is giving partners access to your network, determining the features of a new product, or how you respond to requests for information by phone, email, or on social media. In each and every case, security must be part of determining how you engage.
No basic security problem illustrates the need for a security mindset more than phishing. A study by Cisco estimates that as much as 95% of all data breaches stem from successful phishing attacks. Only by building a security culture in which everyone understands they must be security focused can a company address the threat of phishing.
And building a security-first culture can address phishing. In my address at our annual company-wide kickoff events that start our fiscal year, I talked about how everyone at Lenovo could help, and showed where in Outlook everyone could find the “Report Phishing” feature we have on our systems, and Microsoft offers to enterprises. By making it easier to report suspicious emails, we have seen a ten-fold increase in reports of this potential threat. Even better, fewer than 1 in 10 emails flagged as suspicious are actually phishing emails, which means our teams are being extra cautious, exactly the culture you want to have.
Security awareness never stops
Another critical element in a security-first culture is making sure everyone understands that security awareness never stops. Security is a journey, not a destination. For every new security feature or piece of security software, there is a new vulnerability being developed somewhere, so the need for awareness remains constant.
Yet this also means that the leaders of your security culture need to understand that you simply cannot scare your teams into security compliance. That’s because over time the message will lose meaning, and eventually get ignored. Not only does there need to be creativity in communicating about security, but you must realize that mistakes will be made. How you react to those mistakes can make the difference between strengthening your culture, or inadvertently weakening it.
Turn security incidents, wherever possible, into teachable moments. Ensure that everyone involved understands what went wrong, what the consequences for the organization were, and how such problems should be avoided in the future. If the problem that led to the mistake is new, additional training should be developed and circulated so that the maximum number of people can learn from the incident.
A strong security-first culture does require accountability. Company policies must be enforced. And those who have been educated on the correct actions to take should be expected to follow through on that training. But it’s even more important to celebrate success. This can be challenging in the security realm, where success often means that no problems occurred. Even more, for our more advanced security personnel and programs, we never want to draw attention to how we are protecting our organizations, lest we give attackers an unwanted edge.
Yet I encourage you to celebrate success in security wherever you can. On the front lines, that means thanking employees who report suspicious emails. And for your security-focused teams, that means providing growth opportunities, and establishing security as a desirable career path.
As security threats keep evolving, organizations need a robust set of defenses to detect potential attacks and to protect their systems and data. By establishing a strong security culture, you can empower your people to take simple, basic, yet powerful steps to provide your organization with an important extra layer of defense from cyberattacks.