Who Is Responsible for Developing a Cybersecurity Culture?
A Word from the CEO
Last updated on October 31, 2022
Creating a cybersecurity culture starts in the board room. However, this is only half of the answer to the question of who is responsible for developing a cybersecurity culture. I’ll explain why in this article.
Cybersecurity Is a Must – Here’s Why
I’m a person of numbers, so here are a few statistics that perfectly illustrate why cybersecurity is a must for every company, regardless of size:
“In 93 percent of cases, an external attacker can breach an organization’s network perimeter and gain access to local network resources.” (Source)
“Credential compromise is the main route in (71 percent of companies), primarily because of simple passwords being used, including for accounts used for system administration.” (Source)
“In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year. Over the next two years, the security executives polled by ThoughtLab see a rise in attacks from social engineering and ransomware as nation-states and cybercriminals grow more sophisticated.” (Source)
“Further, 41% of the executives don’t think their security initiatives have kept up with digital transformation. More than a quarter said that new technologies are their biggest security concern. And just under a quarter cited a shortage of skilled workers as their largest cybersecurity challenge.” (Source)
“Only 50% of U.S. businesses have a cybersecurity plan in place. Of those, 32% haven’t changed their cybersecurity plan since the pandemic forced remote and hybrid operations.” (Source)
“The most common causes of cyber-attacks are malware (22%) and phishing (20%).” (Source)
“Cybercrime cost U.S. businesses more than $6.9 billion in 2021, and only 43% of businesses feel financially prepared to face a cyber-attack in 2022.” (Source)
“A new global study of 1,000 CIOs finds that 82 percent say their organizations are vulnerable to cyberattacks targeting software supply chains.” (Source)
”In response to the risks, 68 percent [of interviewed CIOs] are implementing more security controls, 57 percent are updating their review processes, 56 percent are expanding their use of code signing — a key security control for software supply chains — and 47 percent are looking at the provenance of their open source libraries.” (Source)
What Is a Cybersecurity Culture?
Cyber threats can be mitigated or even avoided by having a solid cybersecurity strategy in place and by developing a strong cybersecurity culture.
The term “cybersecurity culture” refers to all of a person’s knowledge, views, attitudes, preconceptions, conventions, and values as they relate to cybersecurity and how they show up in how they employ information technologies.
The creation and implementation of a cybersecurity culture ecosystem is the primary goal of a cybersecurity culture.
As our Director of Product Innovation, Stefan Muresanu, mentions:
I’d say that cybersecurity culture is a homogenous mix of best practices – behavior, knowledge, hypothesis, and standards – related to logic, awareness, technical savviness, and being up to date with the novelties in the industry meant to change behavior and drive values, attitudes, and beliefs that need to be present at all levels: leadership, group, and individual.
Who Is Responsible for Developing a Cybersecurity Culture?
I started this article by saying that creating a cybersecurity culture starts in the board room, but this is only half of the answer to the question. The other half is that everyone is responsible for a cybersecurity culture – every employee, every business partner of your company.
Heimdal’s CTO, Cosmin Toader, notes:
In my books, developing a cybersecurity culture is a shared responsibility. New employees must be trained with the mindset that risk is real and that their daily actions impact it. Simple security procedures followed by the employees could greatly reduce the risk to the company.
The goal of cybersecurity crosses functional boundaries. HR must be involved in the implementation of cybersecurity compliance education programs, much like with sexual harassment and data privacy training. Businesses might even decide to include cybersecurity best practices in their employee contracts.
Our System Administrator, Alex Panait, adds:
To me, cybersecurity culture means teaching employees how to spot and protect themselves from the most common threats. People are the weakest link in the security of a company and teaching them to have a vigilant mindset and be aware of scams and threats mitigates it. Developing a cybersecurity culture starts with the C-Level, but it is not the responsibility of just one man or department. It should be engraved in the company culture, and here is where IT and HR can join forces to include cybersecurity training in the onboarding process, while team leaders across the company should enforce the procedures.
How to Implement a Cybersecurity-first Culture
The news is full of reports regarding data breaches, ransomware attacks, supply chain attacks, (successful) phishing attempts. Only between June and September 2022, our Ransomware Encryption Protection software detected 6056 malicious encryption attempts and blocked 2262 ransomware attacks targeting our customers. Our Email Security solution detected 7.393,376 spam emails, 277.444 emails containing viruses, and blocked 15.131 suspicious attachments.
Implementing a cybersecurity-first culture is thus, absolutely necessary. Here’s how you can do it:
Make Security Awareness Training Mandatory
Whether sent by HR, your CIO, CISO or your IT admins, security awareness training programs should be available and mandatory for all employees.
Focusing on deconstructing risks and making sure all of your employees are aware of what to watch out for is crucial. The team must be educated in a way that resonates with them in order for them to remember the material. You can try to choose resources that make security training more engaging.
Engaging video content, interactive exercises, simulations, and phishing tests can all be included in an effective security awareness training program.
Organizations must prioritize ongoing training and changing the training as security threats change, based on the leadership perspective. To guarantee that every employee receives security training before they even start working, it could be a great idea to incorporate it into the onboarding process.
Make Cybersecurity an Organizational Value
The fact that everyone is accountable for a company’s cybersecurity and the fact that every person and interaction poses a potential risk are two sides of the same coin.
You must not rely solely on security training – cybersecurity must become an organizational value, where every employee understands the consequences that he/she, the company, and its customers may face in case something goes wrong.
This is particularly the case for cloud-based organizations, which deal with constantly changing and emerging threats, and, thus, a larger attack surface.
The pursuit of compliance certifications or attestations, like SOC 2 certification, is one way to ensure that cybersecurity is an organizational value. Such certifications are increasingly important for running a modern business using cloud storage.
How Can Heimdal® Help?
Heimdal can clearly help you on two levels – educational and, obviously, practical.
At the educational level, our marketing team does an excellent job in creating a wide range of content that you can use for security awareness training:
I suggest you follow us and choose your favorite type of content. We are also present at various cybersecurity live events, so you can always come and talk to us in person – you’ll find info about the upcoming ones on our social media channels, so make sure you keep an eye open.
When it comes to cybersecurity, any single misstep can have serious consequences, not only for an organization’s financial line, but also for its image and the trust it has established with collaborators, customers, and customers.
Cybersecurity must be a fundamental and active component of a company’s culture, regardless of how many people it has—two or 2,000. Continuous education and investment are necessary to establish and maintain a solid security posture. Only by highlighting its relevance and providing people with the resources they need can organizations achieve that.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you'll actually want to read directly in your inbox.
Morten Kjaersgaard is the visionary CEO of Denmark-based Heimdal®, an AI-powered cybersecurity leader with a global reach, safeguarding 15,000 businesses from 260+ million cyberattacks. With a Corporate Marketing background, Morten bridges cybersecurity intricacies with business goals. He's a cybersecurity advocate, event speaker, and insightful blog contributor. Morten uniquely translates technicalities into actionable insights, a valuable asset in the digital landscape. His presentations blend cybersecurity expertise, real-world business engagement, and data-driven insights, inspiring innovative strategies. Morten doesn't settle for the status quo, pushing organizations to embrace bold, revolutionary approaches. Connect with him on LinkedIn for more.