Rory McEwan, Director, at tech firm Dunedin IT, pictured, writes about making data security part of company culture.
The importance of good cyber and data protection processes has been amplified over the last year, brought on by remote working and IT teams needing to consider the associated security implications. For many businesses, these concerns are compounded by questions of how they will work in the future and whether their systems will be able to securely manage hybrid working styles. Data security continues to be top of the priority list for many businesses but, for the most part, companies tend to forget the human element involved.
As important as it is to invest in secure technology, evidence shows that employees – however inadvertently – are often the reason for security breaches. Analysis of data from the UK’s Information Commissioner’s Office (ICO) showed 90 per cent of cyber data breaches in 2019 were caused by user error, and Verizon’s 2020 data breach report showed human error was the only factor with year-on-year increases in incidents. For this reason, it’s imperative that businesses look at embedding data security practices into their company culture.
Security culture versus awareness
A simple way to explain the concept of awareness versus culture is looking at making tea in an office – something most of us will agree is a big part of UK workplace culture. A person new to the country might not expect to make a round of tea for everyone, but will soon become aware of the habit by watching and listening to others. When they start to regularly offer to make a round, we say they’ve embraced the local culture.
The same is true for security. Many people are aware of the need to keep data secure, and a significant number have at least a broad understanding of how. This growing knowledge increases our security awareness but building security culture involves behavioural change, for example locking your computer screen any time you step away. Once cyber security becomes second nature for all employees – not just IT professionals – we can say the company has a security culture.
Any type of cultural change takes time and building a security focused culture is no different. The first step is to ensure everyone feels responsible for cyber security. No matter how robust your security procedures may be, human error will always be the weakest link. study published last year showed that 80% of organisations have had sensitive data put at risk because of employees simply sending an email to the wrong person.
Many people are quick to write-off cyber security as something the IT department is responsible for. While there will be some aspects of security that the IT department will manage, such as testing firewalls, a sustainable security culture is achieved by everyone playing their part.
The next step is to provide continual training. Keeping abreast of security issues is an ongoing activity; an easy-to-read policy and regular engagement and messaging will encourage staff to keep security top-of-mind. These messages must come from the top of the organisation; when employees see senior leadership are playing a role in daily security measures, it will be easier for them to see it as part of their jobs, too. If there’s budget for it, you can even encourage staff to do a continued learning course or obtain a master’s degree in cybersecurity.
Finally, a security focused culture must be welcoming. A culture that relies on blame and fear to raise awareness will lead to more breaches: if employees worry that they’ll face discipline for admitting a mistake, they will be less likely to report it. Instead, security breaches – once patched – should be treated as a learning experience, to remind employees about protocol and help them feel more empowered in handling sensitive information.
Maintaining a security culture
The American entrepreneur Tim Ferriss once referred to company culture as “what happens when people are left to their own devices”. Over the past year, with people working remotely and isolated from each other, we have all been literally left to [manage] our own devices.
With the increased number of people working from home and using their personal devices to access business networks, keeping people engaged with security protocols in their personal lives is also a central part of maintaining security culture.
As we return to the office, this won’t change. While conversations around data security may not have as strong an impact on the business, they will continue to be vital as many companies embrace flexible working patterns and allow people to split their time between home and the office. More importantly, the human element will always be part of cyber security, so a sustainable and engaging security culture is more important than ever. While it’s important that the business provides the tools to become secure, it’s up to employees to use them correctly.
