What does good cyber security culture look like?
We issue a lot of technical advice around what a threat is, and steps you can take to counter it. However, when it comes to cyber security, there is sometimes a tendency to focus almost exclusively on the technical issues and to overlook the needs of people and how they really work.
We know, for example, that when official policy makes it hard for someone to do their job, or when a policy is no longer practical, that people find workarounds and ‘unofficial’ ways of carrying out particular tasks. This can bring about risk.
Without a healthy security culture, staff won't engage with cyber security, so you won't know about these workarounds or unofficial approaches. This means that not only will you have an inaccurate picture of your organisation's cyber security, but you'll also miss the opportunity for staff to give valuable input into how policies or processes could be improved. Below are a few points/questions to help you gauge your own organisation's cyber security culture:
Do you have a good security culture?
- Staff know how to report any concerns or suspicious activity, and feel empowered to do so.
- Staff don't fear reprisals when they report concerns or incidents.
- Staff feel able to question processes in a constructive manner.
- Staff input is demonstrably used to shape security policy.
- Staff understand the importance of cyber security measures and what it means for the organisation.
What do you do to encourage a good security culture?
- Properly resourced staff awareness
- Ensuring that staff input is included when creating new policies or system designs.
- Sharing security metrics which focus on success rather than failure (for example, how many people identified phishing emails rather than how many people clicked on them).
- Support from senior leadership on the importance of security.
(For senior decision makers) Do you lead by example?
- Engaging with and respecting security decisions, and working with decision makers to highlight ineffective policies
- Taking responsibility for your own role in cyber security by recognising the risk you pose as a likely target for attackers.
- Speaking openly and positively to staff about why cyber security is important to the organisation.
- Not receiving 'special treatment' e.g. unneccessary admin rights, skipping mandatory training/cyber inputs
If you have been the victim of a cyber crime, please report the incident to ActionFraud via phone (0300 123 2040) or website at https://www.actionfraud.police.uk.