How to Create a Cyber Security Culture
By Mary Critelli/
October 19, 2016

All companies continuously face cyber security threats from both inside and outside the organization. IT departments apply very basic defenses in order to reduce the chances and consequences of a data breach. Firewalls, operating system updates, secure connections, and spam filters are all standard, but they do not address the weakest and most fragile component of any cyber security strategy: people.

Morgan Stanley’s IT department is well known for implementing world-class cyber security protection. However, in a recent security breach, data from over 350,000 customers was stolen by an employee. The SEC found Morgan Stanley responsible, citing a failure to employ “written policies and procedures reasonably designed to protect customer data.” Creating a work culture centered around cyber safety is essential. Most companies understand that better training and executive involvement are key elements in promoting cyber safety awareness. But what about the not-so-obvious actions companies can take to promote this culture? Learn more about these approaches below:

Ensure the top sets the tone.

The only way to ingrain practices that support cyber security and lower the risk of cyber-threat is to start with embedding these principles in senior executives and management. This group is responsible for setting the company culture. Consider changing compensation and incentives to include cyber security compliance points. In addition, recent studies show a direct correlation between CEO approval ratings and cyber security risk assessments. The higher the CEO approval rating the lower the cyber security risk, which analysts believe prove the theory that the happier employees are at the company, the less likely they are to cause a security breach. A company culture that fosters loyalty and happiness among employees will lessen the risk of an “inside job” in terms of hacking or using company data for malicious purposes but also, a CEO who takes cyber security seriously will influence his or her employees to do the same.

Get certified.

The ISO/IEC 27001 is the best-known standard for providing requirements to keep information assets secure. Companies are not required to implement these standards, but many companies are now choosing to take this extra step to get certified. Not only does it serve to outline standards for protecting the company, it also helps to reassure customers and business partners that their information is safe and protected. Leverage the certification to set a company-wide standard that is documented, followed, and backed by top level management. Hold trainings to ensure employees understand and follow the policies.

Create a cyber security scorecard.

The US Department of Defense is constantly under the threat of cyber-attacks. The cyber security scorecard is used as a way for the Secretary of Defense to better understand cyber security compliance and exposure. The scorecard assesses cyber security control across multiple areas: people, process, technology, facility and compliance. The purpose of the scorecard is to ensure organizations can effectively and regularly perform security assessments that highlight areas for improvement and gaps in cyber security policies. Once the gaps are detected, communicate them throughout the company and schedule trainings to specifically target and mitigate these issues.

Inventory and Protect All Networked Devices.

The technology that people wear and carry are often more powerful than they realize, so companies and employees should be aware of the associated risks. Because users rarely think about cyber security as it applies to their personal devices, they put the company in a vulnerable position to hackers when they default their devices to the least secure settings. Training around the risks is crucial to establish awareness. Publish company policies around what to do if a wearable device is stolen or put at risk and address them in employee onboarding. Put programs in place to educate employees on how a hack on their device could put the company in danger.

It is not a matter of “if” a company will get hacked, but “when.” Embedding cyber security, cyber safety, and cyber-threat awareness into an organization’s culture helps delay and minimize the impact of the inevitable. Trenegy helps companies create and implement customized strategies to reduce cyber security risks.