IT Support LA has long been a strong advocate of Security Awareness Training for our clients’ employees. This is good advice for any business, but it is also self-serving. According to ‘The Psychology of Human Error’, a study performed by Tessian, 85% of data breaches are caused by unaware or untrained human end-users. The IBM Cyber Security Intelligence Index Report places that percentage higher – at 95%. All of those breaches are a headache to even the best Managed IT Services providers or in-house IT Support Department.

Your IT services can provide the best next-generation Cybersecurity measures, but any employee at any business can thwart those efforts by falling for phishing scams – fake emails containing an enticement to click on a malicious link or attachment. Click that link and the virus or Ransomware is loose within the network. Now it becomes the job of IT support to stem the infection, remove it, clean up the damage, and restore data to affected workstations.

It is one thing for a business to provide occasional Cybersecurity training, but quite another to build a security culture within the company, and far too few companies do any of that at all. An October 2021 survey by SecureAge Technology reveals that 1 in 4 respondents said their company offered or required ZERO Security Awareness Training.

Poll the IT Support Los Angeles community with that statistic and you will get mostly frustrated nods. Everybody knows what the score is. Too many CEOs and administrators fail to take their end-users’ role in Cybersecurity seriously – so how can anyone expect employees to take it seriously? Management needs to set the pace. Sometimes it takes a cyber-attack to get them to pay attention.

Even among those companies who do practice Security Awareness Training, it is not done often enough. Once a year doesn’t cut it – training should be repeated every 3 to 4 months.

How do you create a security culture for an organization?

Make it fun – but take it seriously. Security culture should be a general reflection of the company culture as a whole. Let it be known that mistakes, while not ‘tolerated’ per se, will not result in severe repercussions. This is a sensitive needle to thread. Rather than having a nervous workforce that’s terrified of making a mistake, employees need to be encouraged to rally around the concept of situational awareness and the healthy skepticism of any cyber communication that seems at all odd.

There are a 4 basic first steps towards creating a security culture in which every employee wants to be a positive contributor:

1) Training, Training, Training - FUN Training.
Every 3 – 4 months, with periodic online quizzes in between. Play Cybersecurity Wargames – fake phishing expeditions, password breaking races etc. Let employees know that is a priority concern and it is being woven into the fabric of their work lives. Just throwing a boring seminar or webinar at them every couple of years tells them you are not serious about it, and if you don’t take it seriously, they won’t.

There’s an old joke: A man in New York City asks a passerby, “How do you get to Carnegie Hall?” The passerby answers “Practice!”

So it goes with Cybersecurity. It must become second nature – an automatic reflex.

It Support LA offers Security Awareness Training that takes out the tedium and adds the fun. People remember things after an engaging encounter better than something that puts them to sleep.

2) A solid foundation
Your IT support, whether in-house or an outsourced Managed IT Services provider must be rock solid, comprehensive, and responsive. For a security culture to take root and flourish, the staff must have confidence that the policies and procedures set forth for handling suspicious communications and cyber-attacks are dependable. When notified or forwarded a threat, IT needs to report back on the results. Employees should not be left to wonder if what they reported fell into a black hole.

3) Deputize the staff.
Impress upon every employee that security is up to everyone. The company is their work, where they earn the money for everything that makes their life good. If a fire breaks out on a ship, it is up to EVERYONE on board to play their part in fighting it – just as it is up to all on board to follow safety protocols to prevent fires. If they don’t, they may end up in the water.

Every end-user must be made to feel like a security deputy. They must know that threats and attacks are inevitable, and each employee may be called upon to be the first line of defense. Create the attitude of ‘We’re all in this together.’

4) Recognition! Rewards! Prizes!
Employees value praise from a boss or public recognition more than they do their paycheck. Reward the best security performers in the trainings, tests and wargames with recognition and prizes. Do NOT mention the worst performers – no public shaming. EVERY person in the office wants to be singled out for praise in front of their peers – it’s a prime motivator.

Building a solid Cybersecurity Culture is not a ‘one-off’ memo to the staff. It must a concerted, continuous effort, and every employee must be able to see management’s commitment to it every day. Too many companies institute policies, bury them deep within the Employee Handbook and allow them to fall by the wayside until nobody remembers that they were ever there.

Over 50% of businesses that suffer a successful cyber attack file for bankruptcy within 6 months. Security Awareness Training is not a whim or passing fancy – it’s survival.

Frequently Asked Questions

Q: What is a cyber security culture?

A: Cybersecurity Culture (CSC) consists of the following factors: The knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values of employees in regard to network security and how they affect the interaction with information technologies.

Q: How can cybersecurity culture be improved?

A: 1) Lead from the top. Executive management must carry the security banner for all employees to see.
2) Accountability and feedback. Do not just throw employees into regular training and then drop it. Mechanisms for feedback must be in place.
3) Exercises and threat simulations. Once employees know these can happen at any time, they will stay more alert.
4) Improved automation. Not just for security, but any instance where employees’ jobs are made easier allows for greater attention to security.

Q: What is the leading cause of data breaches?

A: Far and away, it is phishing and its variants like smishing – a phishing attack sent over SMS messages. These attacks lead to a variety of malware, from Ransomware to viruses.

Q: What are the 3 types of data breaches?

A: Physical: Data is stolen in person.
Electronic: The most prevalent – gaining unauthorized access to a network.
Skimming: Electronic devices which capture the data on the magnetic strip of a credit or debit card.

How secure is your network?

IT Support LA offers a FREE, no-risk network and security assessment. No strings, no obligation.
Just fill out the form on this page or call us at:
818-805-0909