7 Surprising Ways to Create an Information Security Culture
Just because your workplace has security awareness training and the latest IT safeguards doesn’t mean there’s a culture of information security throughout the organization.
A culture of information security is created when everyone champions information security and uses an information security lens to make decisions about the work they are doing in and out of the workplace.
According to International Fraud Awareness Week, data protection and fraud awareness has to be a priority for every organization – and every employee. The awareness campaign, which runs November 13-19, encourages anti-fraud awareness and education.
But 66% of respondents in the 2016 ‘Managing Insider Risk through Training and Culture’ study by Ponemon Institute say that employees are the weakest link in efforts to create a strong security posture; 55% of organizations have experienced a security incident due to a malicious or negligent employee.
An information security culture is really about a set of security-driven behaviors everyone in the organization needs to buy into.
While information security policies and procedures are critical, here are surprising ways to create a culture of security:
- Include executives in on-going employee training. While the C-suite needs to know how to protect themselves from cyber and other attacks, their participation in training sessions will also demonstrate the importance of security and encourage the rest of the organization to follow suit. In the Ponemon study, only 35% of respondents said senior executives believe it is a priority that employees are knowledgeable about data security risks in an organization.
- Use financial incentives. To encourage positive security behavior, provide incentives including monetary rewards. Other rewards could include lunch with executives, and public recognition in internal publications and the intranet. Employees are empowered when they are rewarded for good behavior.
- Publicize consequences for negligent behavior too. Security campaigns should emphasize how employees can cause serious issues when they engage in non-compliant behavior. There should be consequences too, such as meetings with IT or executives to discuss issues, or consequences tied to remuneration.
- Make it personal. Messaging should raise the awareness of security issues and concerns in a wider, more personal context. When there’s a personal connection (concerns for family, etc.), people are more likely to buy-in and become more engaged.
- Make it competitive. Encourage departments or teams to compete against each other for top spot (or prizes of some kind) based on factors such as who identified the most phishing emails. Reward the winning department with lunch on the company. Competition encourages engagement.
- Make it fun. Have fun, and ‘gamify’ learning with engaging and interactive training programs. For example, use simulated phishing emails that link an employee to an education message if they click on a malicious email. Create interactive games where employees have to identify non-compliant behavior in a simulated office environment.
- Make it easy. Embed secure processes into the workplace – so secure behavior and choices become embedded too. For example, partner with a document destruction leader for secure document and hard drive destruction services, and implement a Shred-it all Policy. Employees will learn that secure information destruction is an important aspect of the culture of security.
A culture of information security works hand-in-hand with other security best practices.