The key to a sustainable security culture:
Your workforce

May 26, 2021 | By Gerard Lendore

Security must be a community effort, especially with a remote or hybrid workforce

In a sustainable security culture, security belongs to everyone—not just those with “security” in their job title. How can you build a sustainable security culture and become more resilient? By turning your workforce from a risk to a security asset. Let’s dive in.

The human factor in security

Your security is only as strong as your weakest point—where your security team has the least control. The human element is always the least controllable or predictable element in a security strategy. To strengthen this area, every person in your company needs to be a security practitioner. When your employees are all in and security is treated as a community effort, your company becomes more resilient.

The challenges of securing a remote workforce

In the past, employees haven’t been compelled to think about security because organizations typically have established security perimeters. While threats exist everywhere, there were certain dependable security elements while at the office: the physical security within the office, secure network and devices.

These security elements, likely taken for granted, disappeared once the pandemic forced people to work from home. Employees are more likely to have access to company information through personal devices. Work is being done through a home network. Who else is using that network? The rest of the family, who may not have taken that cybersecurity training as part of their onboarding process.

Now that so many have been working remotely for over a year, your company’s data security could be at the whims of an employee’s family member’s browsing habits. And bad actors have adjusted their strategies accordingly.

Make security personal to everyone

Your effort to build a security culture won’t go far if your workforce continues to view security as a technical problem to be minded only by technical people. Employees won’t suddenly care more or do more about your company’s security posture without reason. To get each employee thinking about security in their day-to-day operations, make it personal to them. Don’t rely solely on scare tactics to get employees on board. Use security awareness trainings to help them see how security affects everything and everyone in the company.

Get creative in cybersecurity awareness training programs

Take stock of your current cybersecurity awareness and training programs. Can you bring some creativity to security trainings to make them more engaging and interesting?

Make security real for your employees with a role play exercise in your next cybersecurity awareness training. When employees can step into the shoes of both the adversary and the victim, they may have a better understanding. Your workforce will also retain more from the interactive nature of these exercises, and let’s face it—your cybersecurity awareness training is only as good as what your employees actually remember and use moving forward.

Reward the behavior you want

When companies work to build a sustainable security strategy, their efforts fall short from a lack of employee engagement. If you want your workforce to improve their cybersecurity hygiene and participate in company security efforts, incentivize that behavior.

Reward the behavior you want instead of only punishing or highlighting the behavior you don’t want. Consider that a cash incentive will be far less expensive than another security tool or the possible losses from a cyberattack.

No security question is too foolish

“If you see something, say something” only works if your employees feel empowered to say something. Cyberthreats like ransomware, malware and phishing use psychology, so we must factor psychology into building a security culture.

There’s a reason you still get spam calls: somebody out there is still falling for them. Phishing, malware and ransomware work because they cause panic. They compel a person to react immediately out of fear and isolation. Fight the panic with preparation. Fight the fear with education. Fight the isolation with community.

Make your security organization a trusted resource by being available to answer questions—and teach your people that when it comes to keeping the business safe, there are no stupid security questions. Even creating a frequently asked questions guide on cyber hygiene can help. If you condition your workforce to take a moment and reach out when they are confused or encounter a potential cyberthreat, they—and your company—are less likely to fall victim to those threats.