Wiring the Workplace: Grounding Your Cyber Culture

We’re in the home stretch, and 2016 sure was one for the record books, cybersecurity- and other-wise. We’ll spare you a play-by-play, but suffice it to say in the world of all things cyber, we’ve hit a whole ‘nother level. And the upward trend continues, with abundant predictions of threats and concerns looming over the upcoming year.

Rounding the bend, we find ourselves in October, and in the midst of another installment of National Cyber Security Awareness Month (NCSAM)—the 13th to be precise. We’re right there with the nation’s President in calling upon “the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and training”. “Our Shared Responsibility” has been the continuous and, we think, very fitting theme for this annual month of increased cyber awareness. Last year, we set forth the goal to live cyber-safely, proving that together, we’re a force—for good—to be reckoned with. So, how did we do?

Cultural Awareness

If we’ve all improved a bit, that’s a great place to be. But here’s the rub: just as quickly as we’re updating and advancing, so are threat actors. The stronger we make the locks, the faster they dig their tunnels. It could feel like there’s no catching up. And that’s why NCSAM is so vital. A collection of lessons learned and a ‘state of cybersecurity’ rundown can get us back to center, ready to face a new year.

As always, NCSAM breaks things down into weekly topics. October 10-14 addressed the importance of “Creating a Culture of Cybersecurity in the Workplace”—that’s right up our alley. Join us as we delve a bit deeper, uncovering the main tenets. Click the topics, check the answers, and feel free to discuss. From the printed page to real life—we’re about to make that leap.

Employee Education & Training

It’s been established: cybersecurity is anything but an “IT issue”—it’s up to all of us, every day, every where. Especially on the job though, management must set the bar high, seeking training for themselves before attempting to initiate a knowledge trickle-down. Once training is in place, keep it fresh, make it real, and be sure it’s relevant to the jobs your employees do every day. Break up lengthy lessons that could bog down. They’ll be more manageable, easily remembered, and most importantly, implemented. Look for concepts that are “quick, hassle-free, and easy-to-understand”. How to gauge? Why not ask those you’re teaching.

When a training session is completed, keep that wealth of cybersecurity knowledge out of the cobwebbed corners of the company intranet. Continue to emphasize the critical nature of company data, and make it personal—“Wouldn’t you want a company you’ve entrusted with your data to steward it responsibly?”

Here’s a tip: Consistent visual reminders could do more than an occasional lecture. So why not design and distribute informative infographics and other printables, perhaps even involving employees in the process. Just remember: policies should be clear and concise, and appropriate ‘plans of action’ should be easy to follow in a crisis situation.

Encourage Awareness

Much like trust or communication, awareness has to be a ‘built-in’ to be effective. Styles will vary across the board, but encouraging cyber awareness will always require initiative and a positive approach. Easier said than done—we hear you. But here’s a fact that’s on your side: in any area of life, a little bit of healthy, positive peer pressure can keep us in line, and on target. We can’t overemphasize the need for everyone in the office to be on board. Here’s the goal mentality: ‘Everybody else cares about cyber safety, [and] so do I’. It’s good to be part of the majority on this one.

Being aware also means being kept informed to changes, whether it’s equipment, policies, or programs that are updated. Oftentimes, dignifying employees by keeping them in the loop (where you can) can go far to increase their commitment—it’s then a true team effort. And just when it would seem that enough time has passed for training to have slipped from employees’ collective consciousness, including tips, infographics, self-assessment quizzes and especially short, informative videos in a regular internal newsletter could be just what’s needed to buoy cybersecurity back up to a high level of importance. Here lies a hidden danger: Inundating staff with a constant barrage of cyber-babble will hurt, not help. Be sure to strike that balance.

Here’s a truism for you: “A culture of cybersecurity, with every employee engaged, will help to strengthen the weakest link.” This isn’t about checking boxes, signing agreements, or reading terms. Instead, look for ways to engage employees, to make awareness real, everyday, and even (dare we say?) fun.

Emphasize Risk Management

Before awareness and training even enter the picture, it makes sense that you’d first need to identify your company’s “crown jewels.” That is, the data you absolutely can’t afford to lose. Here’s where imagination is vital. So pause your planning for a moment and tap into your brain’s ‘what-if’ center. If your company’s priceless data were stolen in a full-scale breach:

• How would management react?
• Where would you turn for guidance?
• What could potentially happen to your company and the employees who depend on you?

Sobering thoughts, we know. And while we generally don’t like to dwell on worst case scenarios, in reality, they happen all too often. So, once you’ve pinpointed the potential for disaster, then the dominoes begin to line up. You’ll naturally begin to ask questions, like: ‘How do I store this information?; Who has access?; How do I protect our data?; What steps are we taking to secure our computers, network, email and other tools?’ The answers can highlight key points of entry for threat actors, and give you the data you need to get busy managing that risk.

Build Resistance & Resilience

Beefy football players learn how to twirl and point, and there’s a clear lesson to be gained: flexibility improves agility, protects from injury, and aids in healing. The same is true in the game of cyber. A lithe system can better “maintain the continuity of its critical services in the presence of disruptive events”, and can hasten recovery from and resistance to cyber incidents. We’re talking quick detection and response, and speedy mitigation and recovery. And these key qualities will take effort to implement. So “from understanding a broad range of non-technical issues, to developing and communicating proposals for broad operational and organisation change”, you’ll need all hands on deck.

As with any cyber endeavor, when we get more than surface deep, lines begin to blur and we lose focus on who’s responsible for what. That’s the perfect time to gather key players in your company’s defense strategy and assemble a solid Incident Response Team. Look for responsible, knowledgeable folks who can keep their cool, keep the company running, and control and repair damage. Team assembled, now it’s time to construct a reliable plan, because “Defenders have to be right every time, and attackers have to be right only once.” Much like superstorms and financial crises, cyber risks are inevitable and at times, unstoppable. It’s more often how we pick up the pieces and carry on that could make or break.

Promote an Educated Workforce, Follow Best Practices

TV spots, magazine ads, radio bombardment: promotion works when it’s engaging and attention-grabbing. The time, effort, and repetition required to promote cybersecurity awareness goes far beyond a one-time deal. Handing a new hire your printed safety procedures is just the beginning.

So let’s say you’ve implemented all the above suggestions and your cybersecurity game is solid. What now? It’s a good idea to periodically review key points by putting them into practice, testing employees quarterly to assess for weak spots in their knowledge base. Anything you do to stave off the ‘out of sight, out of mind’ mentality is a plus. Use the valuable data collected to fashion customized, ongoing training sessions. Including cybersecurity training as part of annual performance reviews could show itself as an obvious safeguard.

While on it’s face, it could seem like more effort than it’s worth to craft and implement a cybersecurity training program, doing your due diligence is a serious safeguard, and a way to show you understand what’s at stake. Here’s a motto to strive for: “In our company, it isn’t so much a training, as an ongoing conversation or dialogue.” Let’s work, this NCSAM, to make cybersecurity an everyday essential.

Man Your Sling, David

The flurry of summer has come and gone; it’s scary how those 365 fly. Now, as we settle into the year-end groove, it’s the ideal time to refocus on a topic that’s always in season. National Cyber Security Awareness Month makes things easier, concentrating and distilling cybersecurity Q&A’s and a myriad of resources, especially for the business crowd. We all know that fighting the cybersecurity war isn’t easy, but in the end, winning doesn’t depend so much on knowing, but on asking. Pair the right questions with reliable answers, and you’ll go far. So if you’re looking to take on a goliath—like fundamentally changing your company’s cybersecurity culture—there’s no need to go it alone. Along with the National Cyber Security Alliance, Zinc is right there with you, looking to foster cooperation, collaboration, and above all else, effective communication. Because while cybersecurity is on a topic that’s a fixture in the public eye, it isn’t always high-priority in the boardroom. We’re one of many who are out to change that—join us, won’t you?

Bonus Features

Check out all the NCSAM news on Twitter by following @StaySafeOnline and @zincinsurance, participating in the weekly #ChatSTC events, and searching #CyberAware, the initiative’s official hashtag. Find a plethora of tips and tricks to implement at home, work or play. For a weekly flurry of cyber info, use hashtag #ChatSTC each Thursday at 3P this month and tune in to NCSAM’s Twitter chat.