Using Organisational Culture to Improve Cyber Security

We consistently recommend that you build a resilient business where cyber-security a priority. But what does organisational culture have to do with improving cyber-security? As most managers and CISOs know, one of the least static areas of business is cyber security. That’s because more than half of the fraud in the UK is conducted online. Therefore, in light of mounting attacks, it’s important to increase awareness at the company level. Plus, to ensure your cybersecurity policies are effective, you must get buy-in and action from all levels of staff. When you do, you can use organisational culture to improve cyber security.

The State of Cyber Crime Heading Into 2020

The National Audit Office has confirmed what we already know – that the UK has a high level of exposure to and potential impact from cyber-attacks. This stems from the UK’s role in international organisations, such as NATO, and the openness of our digital economy. Because we have “one of the world’s most open and most digital economies” we are “vulnerable to attack from hostile counties, criminal gangs and individuals.” (House of Commons Report: “Cyber Security In the UK 2017-19’”)

Operating in the current cyber threat landscape is difficult. The risks are multifaceted. It finds organisations navigating an increasingly complex cyber threat environment. As the EESC’s Cybersecurity Study outlines, these risks affect:

Business continuity
Intellectual property
Personal integrity
Professional integrity

So, you must consider all these areas and more when building your cybersecurity plan.

Cybersecurity culture in the workplace

Cybersecurity is everybody’s business because everyone loses out when a company is affected by a cyberattack. We care about the role of employees because careless and unaware employees are too often contributors to the success of cyber threats.

You can start the cybersecurity process by creating the policies and frameworks just like the government agencies we work with. They are developing national frameworks for a policy and legal foundation for a resilient cyber-ecosystem. You should do the same on a micro-level in your company.

However, unless you have the active involvement of staff, your efforts may not offer the ROI on your security investment that you expect. So, you want a system where cybersecurity practices are integrated seamlessly into everyday jobs.

It is a delicate balance to improving security and getting company buy-in without alienating employees in the process. Too often, the approach taken to implement security changes neglects employee involvement, by failing to acknowledge the importance of staff in the implementation and ongoing execution. There are best practices that organisations can and should adopt. But it also means tailoring your security protocols to your unique business needs.

In a resilient business culture, information security is seen as everybody’s business. In this environment, the culture you foster minimises insider threats. It also encourages employees to identify threats and actively respond to vulnerabilities. Crucially it starts with executives supporting the initiatives of their CSOs and CISOs. It’s about institutionalising security training programmes, which helps to develop better cybersecurity habits in employees and staff.