You’ve likely heard about organizations having a culture of compliance but not as much about having a culture of cybersecurity. Yet as threats to our sensitive data’s privacy and security ratchet into the red, it’s the perfect time to create a cybersecurity culture that protects your organization from cyber-threats and attacks.
Luckily, much of what applies to creating a culture of compliance can also work for creating your cybersecurity culture.
1. Security from the bottom-up. Everyone needs to know exactly what their role is when handling sensitive data. If you don’t understand the definition of sensitive data, you likely also don’t understand how you can easily you can place it at risk. From an entry-level employee to the C-level, anyone can create data vulnerability. Which leads to…
2. Invest in training. Information security can only do so much to prevent a breach. Employee awareness training at all levels of an organization is essential to filling the gaps. Online or in-person courses, refresher sessions and testing all help bring home the concept that security is imperative. And that the same rules apply no matter what your title or function. Training should not just be an annual ‘check the box’ activity, it needs to be deployed throughout your organization several times a year, otherwise, it is too easy to forget what you’ve learned.
3. Keep education simple. It’s so easy to fall into the jargon trap. IT is full of acronyms and jargon, and sometimes people nod and smile as if they understand, but they don’t. Explain ideas and train using layman’s terms. When you’re talking about what a phishing email looks like, or what malware is, ensure that you’re not using words that only people in IT would know. Create realistic scenarios for everyday business operations and tasks where sensitive data is at risk, and show how it connects to cybersecurity
4. Focus on security basics. Turn auto-updates on, and shut computers down completely on a regular basis to allow for security patches. Remember that not everyone thinks of cybersecurity and information privacy the same way. Digital adults - people who grew up with iPhones in-hand - are not going to think of privacy and security the same way as those who remember when HIPAA first rolled out. Digital adults have always shared everything online, which means they naturally have a different attitude toward what should be private and what shouldn’t.
5. Get senior leadership buy-in. It’s the old “walk the walk” idiom. If management hasn’t embraced and evangelized the importance of cultural cybersecurity, no one else will. The IT department may carry the flag, but it’s senior leadership’s job to plant it and rally everyone around it.
It all goes back to the data and who can touch it, access it, share it. Do you have one place where you can monitor access, check that security patches were installed, and know who attended the latest training? If not, it may be time for a platform like MyVCM that supports your ability to create and refine your own culture of cybersecurity.
Contact us to learn more about we can help you build, manage and maintain your cybersecurity program.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.