rvlsoft - Fotolia
From a business perspective, cybersecurity is fairly easy to define and typically has three elements.
- Know what needs to be protected -- and why -- by identifying critical information assets.
- Know what information assets need to be protected by developing an in-depth knowledge of the risk environment.
- Protect information assets for as long as they exist by creating protection strategies and mitigation plans.
But for these protection strategies to be successful, it's important that organizations develop a high degree of cybersecurity awareness within an organization and incorporate a strong culture of security along with it.
Ultimately, organizations are trying to avoid the loss and misuse of the personal and financial information of their employees, customers and suppliers, while also protecting intellectual property and any other information required for business continuity.
Creating a cybersecurity awareness culture
Employees are simultaneously an organization's weakest link and its first line of defense. To counter this inherent conflict, all employees must understand their cybersecurity roles and responsibilities. Promoting this type of security culture can help keep employees interested and invested in protecting critical information assets.
A culture of security also means that cybersecurity awareness should be an everyday part of business, and that security must apply to everyone in the organization. A cybersecurity program can quickly be undermined if certain classes of employees, especially management, do not apply the cybersecurity rules.
Awareness is at once the understanding that something or some situation exists and how that thing or situation is perceived. In simple terms, awareness is, "What do we know?" and "What do we believe?" That is exactly what the goal should be when creating awareness and a culture of security: Getting people to adopt the beliefs, attitudes and behaviors that are useful to build a culture of cybersecurity.
Cybersecurity awareness goals
When promoting cybersecurity awareness among employees, it is important for management to understand that 95% of cybersecurity breaches are due to human error. One goal of cybersecurity awareness is to reduce these types of vulnerabilities with awareness and education.
Employee awareness and education are areas where cybersecurity investments can reduce vulnerabilities. Therefore, management should include cybersecurity awareness and training as a major focus of any cybersecurity plan.
It is also important for employees to understand that they are the preferred targets of cybercriminals. Employees already have access to the information that cybercriminals want. Hackers consider the people who have the credentials and access to be soft targets that are easy to manipulate.
A second goal of creating cybersecurity awareness is to inform employees that they are in the crosshairs of cybercriminals and to instruct them about their roles and responsibilities to reduce risk exposure.
As was mentioned earlier, in order to get people to adopt these cybersecurity behaviors, you have to change employees' attitudes with respect to cybersecurity.
A common employee attitude today is that cybersecurity exists solely to make jobs harder. Another common employee complaint is that cybersecurity is not part of their job.
In order to dispel these attitudes, you must change employee beliefs about cybersecurity. We want employees to believe that when it comes to cybersecurity, each of them has a responsibility and each can benefit from incorporating cybersecurity best practices into their job.
The employee's cybersecurity role
It's important to remember that people act out of self-interest. You must tell people what's in it for them and how their enthusiasm can serve their interests. Here are some ways employees benefit from cybersecurity:
- A safer work environment.
- A reduced possibility that their personal information will be stolen and misused.
- Continued employment, as cybersecurity breaches have caused organizations to go out of business.
- A more productive work environment.
Understanding their cybersecurity roles and responsibilities can help employees eliminate uncertainty when they do face a cybersecurity incident at work.
Therefore, a third goal of creating cybersecurity awareness is developing positive beliefs and attitudes among employees regarding the importance of cybersecurity. They should also develop an understanding of how they can benefit from being engaged with their cybersecurity roles and responsibilities.
A company's cybersecurity awareness plan must be grounded by an understanding of what its critical information assets are, the threat environment that those assets face, and how to develop protection strategies for those assets.
A company's cybersecurity awareness plan should use that information to create cybersecurity knowledge, shape beliefs and attitudes on security, and guide employees to adopt behaviors that support cybersecurity. Doing so should help motivate them and provide an understanding of how they can benefit from improved cybersecurity across the organization.