Building a Culture of Cyber Safety

Executive Summary

Unsecure habits in the workplace create unintentional threats to an enterprise’s cyber posture. Leadership can create a culture of cyber safety by modeling good cyber habits and empowering individuals with systems to report suspicious cyber events. There should be clear messaging that their information will be reviewed by individuals who have the expertise to evaluate their report’s significance. Training and standard security policy may not be enough. If workplace culture can move individuals away from the mindset that cybersecurity is only IT’s problem, people will be better equipped to take ownership of their role in contributing to community cyber safety.

Background

Insider threats often foster images of a disgruntled employee looking to seek revenge on their organization, however, not all insider threats are necessarily malicious [6]. Workers acting in good faith can commit negligence in an attempt to alleviate the stress of limitations within their role. Unintentional threats often arise from a preventable scenario: common habits [3].  According to the Cybersecurity Infrastructure and Security Agency, or CISA, employees may introduce cyber threats to their company unintentionally through either ignoring IT policy or by accident [4]. Workers may allow someone to tailgate through a building entrance out of kindness, despite understanding the action is a policy violation. They may not necessarily know if they are assisting a threat actor in gaining access – they may simply just want to help. Unsecure workplace practices like this can increase attack surface by working against an organization’s cybersecurity strategy. Threat actors are more than willing to exploit these vulnerabilities.

According to research by Bitwarden, organizations with cultures that foster cyber-weaknesses have those vulnerabilities exploited on a regular basis. They found that although 80% of respondents include a strategy around ransomware, almost half have issues with employees using unapproved software and hardware. Additionally, 19% have employees who use the word password as their password. Such things increase an enterprises’ attack surface. The fact that awareness of policy alone may not be enough suggests that there may be a larger issue at hand. There appears to be a disconnect within organizations.

According to Forbes, an organization’s ability to become “cyber-focused” should take a top-down approach [5].  Leaders can strengthen their organizations by leveraging lessons from cyber incidents to patch potential organizational weaknesses and minimize attack surface. Since leaders have the power to influence and promote organizational change, their buy-in has a significant impact on building a “cyber-focused” culture. They can also empower workers who may be reticent to engage [1].  Additionally, leaders should continuously update their cybersecurity strategy to align with business goals.

Some government agencies have adopted a pro-teamwork stance to tackle the issues of education and detection. Understanding whether or not a situation is significant can be challenging; especially for people who lack adequate training in cyber threat detection [2]. To combat this, the Department of Homeland Security, or DHS, uses a policy of “See Something Say Something,” in which employees are encouraged to report suspicious cyber related occurrences. The intent is to increase incident detection capacity by directing these potential events to professionals who are most capable of determining their significance. This minimizes the pressure and potential errors from unqualified individuals making uninformed decisions regarding that could have possible negative consequences. Additionally, cyber capabilities are expanded through increased participation. CISA encourages a “Culture of Collaboration,” to foster community engagement in cyber vigilance. These efforts can work hand in hand to lighten stress that may otherwise be alleviated with policy violation.

Impact

Threat actors often use workers’ compassion, altruism and resourcefulness as an attack vector. People are often willing to bypass their company IT policy out of the belief that they are helping someone or in an attempt to make their day a little easier.  Fostering community can offer an appropriate outlet for both of these behaviors while supporting cybersecurity goals. This can have a positive impact on cyber posture by minimizing an organization’s human attack surface.

Mitigation

Encouraging a culture of empowerment, open reporting and collaboration can have beneficial effects.  Leaders should build cybersecurity into their leadership strategies. They can use their platform to shape workplace culture by encouraging an all-hands approach to cybersecurity.  Organizations should ensure there are appropriate avenues for reporting potential cyber incidents. These systems should have avenues for connecting qualified entities to assess the significance of and resolve reported incidents. This creates a supportive environment in which individuals can become engaged in cyber strategy rather than falling to the belief that cybersecurity isn’t their personal responsibility. By empowering everyone to take ownership of the enterprise’s cyber posture, community members can become more engaged in cyber-safe practices.

Relevance

Merely relying on education and awareness is not enough to foster a culture of security. Changes must be made to both leadership and community levels. By lowering the barrier to cyber-focused practices, enterprises can minimize their attack surface by fostering organizational level buy-in for following and maintaining a company’s cyber strategies.  Additionally, enlisting assistance from community members can also improve security posture by increasing means of early detection and assisting information collection efforts. By offloading some of these capabilities, cybersecurity staff can refocus their efforts on categorizing and mitigating threats.

References

[1] Bank of America. (n.d.). How to create a security-focused culture in your company. Bank of America. https://business.bofa.com/en-us/content/cyber-security-journal/security-aware-culture.html#footnote-1

[2] Beardsley, T. and D. Larson. (2024, October 23). Engaging with Security Researchers: Embracing a “See Something, Say Something” Culture. CISA. https://www.cisa.gov/news-events/news/engaging-security-researchers-embracing-see-something-say-something-culture

[3] Bitwarden. (2024, May 14). Building a Cybersecurity Culture in the Workplace. The Bitwarden Blog. https://bitwarden.com/blog/building-a-cybersecurity-culture-in-the-workplace/

[4] CISA. (n.d.). Defining Insider Threats. CISA. https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats

[5] Hart, D. (2024, August 30). Developing A Cyber-Focused Company Culture Through Leadership. Forbes. https://www.forbes.com/councils/forbestechcouncil/2024/08/30/developing-a-cyber-focused-company-culture-through-leadership/

[6] Posey, C. and M. Shoss. (2022, January 20). Research: Why Employees Violate Cybersecurity Policies. Harvard Business Review. https://hbr.org/2022/01/research-why-employees-violate-cybersecurity-policies