Security culture: this is why it’s so important to integrate it into the corporate culture.
A company’s security culture capable of transforming employees into true human firewalls against cyberattacks is a fundamental element when we talk about cybersecurity. This is because the real weak point is the human factor: 95% of cybersecurity issues, according to The Global Risks Report 2022 by the World Economic Forum, can be attributed to human errors.
It’s true that training and awareness alone are not sufficient to protect against constantly evolving cyber threats. However, making employees aware of real risks, informing them about the appropriate behaviors and norms to face any cybersecurity danger, remains essential steps. Furthermore, technical security measures should align with other company processes: employees should not have to choose between “doing their job” and “complying with cybersecurity policies.” This is why security measures should be designed to provide an adequate level of protection without hindering employees’ work.
A clear example of this principle is the use of a system that requires overly complex authentications or inconvenient security procedures. In such cases, users may attempt to bypass these measures or make mistakes, nullifying protection efforts.
But what is meant by a security culture? It refers to a shared set of values and practices that indicate how people should consider cybersecurity within an organization.
To create a common and shared culture, a fundamental piece is the active support of leadership, both in terms of budget and, most importantly, by setting a personal example. This is in addition to the need to adequately and consistently train personnel, ensuring that each employee can understand and mitigate cybersecurity risks while creating an environment where people feel comfortable reporting security issues.
Responsible behavior in the use of technology and information by employees must necessarily connect with a set of clear and understandable policies and procedures for everyone. Cybersecurity must become a collective responsibility.
Finally, for a security culture that holds value over time, continuous updates are necessary, monitoring the effectiveness of existing security measures and updating them to address new threats, along with a systematic approach to assessing and managing cybersecurity risks.
When talking about a security culture, it’s not just about awareness; behavior and mindset are also crucial, the other two pieces of the ABC of cybersecurity (Awareness, Behavior, and Culture). Every employee, department head, or administrator must be aware of their role within the company and act responsibly in terms of security because cybersecurity belongs to everyone.
It’s important to emphasize that it’s often not a single error that has devastating effects, but rather the concatenation of many wrong behaviors that lead to a domino effect and disaster. Investing in a security culture can positively influence personnel, defusing those wrong behaviors that result from years of unawareness and bad habits (often stemming from the negligence of executives themselves). Seemingly minor errors, such as not following firewall rules, accidentally exposing RDP services, or using accounts with high privileges, can make the company vulnerable, exposing it to cyberattacks.
If defending is much more complex than attacking, then it’s essential to strike a balance between investments in defensive technology and promoting secure behaviors among employees, adding to ad hoc actions (perhaps related to the latest technology) a solid security culture. If a company is investing correctly in this aspect, it can be noticed through indicators such as people’s ability to report incidents and include security as an integral part of their responsibilities, as well as the promotion of responsible behaviors among colleagues.
In conclusion, cybersecurity is not just a technological issue but also a human one: changing wrong behaviors takes time and constant effort, but it’s an essential step if you want to protect the company from constantly evolving cyber threats
