Cybersecurity Learning: Creating a Culture of Cybersecurity Awareness

Business leaders often face immense pressure from investors, consumers and other stakeholders to share information about how they are working to improve their organization’s position on a range of important issues. Shaun McAlmont, CEO of NINJIO, discusses how creating a cybersecurity learning culture could increase cybersecurity awareness across the organization.

The end goal of any effective cybersecurity training program is lasting cultural change. Cybersecurity should never be a check the box exercise – it should be second nature to all employees, whether they’re opening an email, downloading a document, or doing anything else that involves accessing company data or networks. Companies can facilitate cultural change by keeping employees actively engaged with the material they learn, regularly testing their knowledge, and ensuring that cybersecurity is a priority across the organization.

The direct costs of a ransomware attack are often immense, but the indirect costs can be even higher, such as lost trust and brand loyalty. When 81 percent of consumers say the potential risks of companies collecting their data outweigh the benefits, companies must demonstrate that they responsibly handle their customers’ personal information. It starts with a proactive culture that gives employees the tools to identify and mitigate cyber threats.

The ultimate goal of cultural change

The first step towards developing an effective cybersecurity platform is to establish an engaging training program. The second step is to ensure that the program educates employees. And the third step is to embed this training into the corporate culture and make cybersecurity awareness second nature to all employees.

It’s impossible to educate employees without keeping them engaged, but it’s clearly something companies struggle to do. According to the Gallup State of the Global Workforce 2021 report, only a fifth of employees worldwide say they are engaged at work. This leads to staff turnover, slumping morale and low levels of productivity, and Gallup estimates it costs the global economy $8.1 trillion a year.

Engagement is also an essential part of education. In a case study conducted at Kingston University in London, researchers increased student engagement with “message boards, recorded lectures, use of social media, [and] online forums,” which led to “improved retention and pass numbers compared to modules that were delivered without digital intervention.”

A considerable body of to research suggests that another way to engage learners is to use story-based content. The end goal of these strategies is not just the retention of information, it is the creation of cultural norms that make the deployment of this information automatic for company employees.

Despite the central importance of building a cyber-aware culture, many companies have failed to do so. According to survey Data published by Quinnipiac University, 60% of organizations believe they have failed to gain employee buy-in for their cybersecurity initiatives. In comparison, 42% do not have a plan to develop a culture of cybersecurity. More than half believe the CISO should “own” the process of developing a culture of cybersecurity awareness, even though cybersecurity should always be a company-wide priority. A 2019 study by MIT researchers Sloan summarizes the failure to prioritize the cultural components of cybersecurity: “Managers continue to invest in advanced technologies and, in many cases, resist investments in organizational mechanisms that would increase resilience .

Learn more: How companies can move from cybersecurity training to learning

How to Become Cyber ​​Secure

According to a recent PwC investigation, organizations with the most advanced cybersecurity platforms are twice as likely to report progress in “instilling a culture of cybersecurity.” The MIT study outlines several ways companies can create a culture of cybersecurity:

  1. Make cybersecurity an integral part of performance reviews and reward systems.
  2. Hold employees accountable for breaches of cybersecurity protocols (according to Accenture, 16 percent of CISOs say their company does).
  3. Develop healthy communication around cybersecurity.
  4. Provide consistent and up-to-date cybersecurity training.

Beyond adhering to these guidelines, companies must ensure that their cybersecurity cultures keep up with emerging threats. A recent report by Kaspersky Labs revealed that 93% of cybersecurity professionals agree that their domain “needs to evolve with the current and future landscape.”

But in many cases this does not happen. According to a 2020 study conducted by the Ponemon Institute, the proportion of companies that believed they had an effective cybersecurity platform dropped from 71% before the COVID-19 pandemic to just 44%. One of the probable causes is that companies are not adapting to the changing threat landscape: only 43% say they have “programs that inform and educate remote workers about the risks created by remote work” .

Human behavior remains the main handicap – and asset – of companies in the development and maintenance of their cybersecurity platforms. Several studies found that employees remain the weakest link in companies’ efforts to defend against cyberattacks, but that means cybersecurity education can have a powerful impact on any organization.

As more businesses recognize the value of cybersecurity training, it’s never been more important to examine what employees are learning and how they deploy that knowledge to keep the business safe.

Towards proactive cyber awareness

Cybersecurity training is a means to an end: creating a culture of cybersecurity awareness where all employees recognize that they have a responsibility to protect themselves and the business. That’s why it’s essential to encourage proactive cybersecurity habits and measure performance (as well as engagement) with tools like phishing tests, employee reporting mechanisms, and corporate security assessments. ‘company wide.

When companies take cybersecurity education seriously, they don’t settle for the mere existence of training programs. They will build their cybersecurity platform around facilitating long-term behavior change in employees, a process that will eventually lead to a robust and ongoing culture of cybersecurity awareness.

Has your organization recently taken steps to become more cyberspace and threat aware? Share your experience with us at LinkedIn, Twitter, Where Facebook. We would like to know!


Comments are closed.