How to create security culture in your organisation

KnowBe4, a provider of security awareness training and simulated phishing platform, says in this piece that organisations should invest in the technology, embed the security, but should not forget that people are their most important asset

Security. This is a word that can make a grown Chief Financial Officer tremble and an entire Security Operation Centre crumble. It is the word that captures a complex landscape littered with complexity, cybercriminals and technology. It defines how well an organisation adheres to a growing body of legislation – GDPR, POPIA and other data protection regulations – and how its reputation fares when a breach is revealed and information exposed. Security should be on every boardroom agenda, in ongoing employee training, and in investment into the right tools and solutions. But, perhaps most importantly, security should be an inherent part of the company’s culture because it is this factor that ultimately determines its security risk and posture.

“There is a clear link between security culture and secure behaviour and that, in itself, correlates to a clear reduction in risk for the organisation,” said Anna Collard, SVP Content Strategy and Evangelist, KnowBe4 Africa. “By improving your security culture, you are immediately improving employee behaviour and potentially plugging one of the biggest security gaps in every business – people. People are often the weakest link. The ones who click on the link, who open the phishing email, who share their company passwords and who accidentally create vulnerabilities within the organisation.”

A recent study undertaken by KnowBe4 examined the behaviour and security culture of more than 97, 000 employees across 1, 115 organisations worldwide. The study dug down into the components and building blocks of security culture and unpacked how this has become a critical component for any robust security structure in a detailed whitepaper.

“IT leaders have always known exactly how important people are to the perfect security triumvirate – people, process and technology,” Collard said. “But, over the years, process and technology have been pushed to the forefront of investment and conversation, leaving the human element wide open and the business at risk. The reason for this shift is multi-fold – it’s hard to engage with a diverse workforce and the security message is not always that exciting.”

Yet, the research found a very clear proof that a robust security culture reduces the risk of credential sharing and improves the entire organisation’s security posture. In fact, it found that there was a 52x difference between the behaviours of people sharing credentials in a poor security class and the best which highlighted how a focus on security culture can significantly change the way employees adopt secure practices and behaviours. This again underscores the value of setting up a security culture programme that explores the seven dimensions of security culture and how these can be improved within the organisation.

These seven dimensions include: attitude, behaviour, cognition, compliance, communication, norms and responsibility. And they provide the organisation with a solid framework within which to build an equally solid security culture that has longevity and relevance.

“The more that the business focuses on security culture, the more likely it is that employees will follow secure practices and adopt more secure behaviours,” Collard said. “This groundbreaking research has provided a very clear and measurable link between security culture and secure behaviour and emphasises the value of investing into people, training and security communication best practice to ensure that this link is always maintained.”