How is the safety culture in your company? Why only a holistic concept is the key to success!
by Svenja Koch
The Rise of Security Culture is not a new movie, but rather the title of an interesting study conducted by the security platform knowbe4.com in 2020. Security culture, a term that I'm sure you also can't exactly categorize at first glance. Because that's exactly how it felt to around 94% of the decision-makers in the areas of security and risk management from a wide variety of companies worldwide who were surveyed in the study, the experts consider safety culture to be critical - but the respondents disagreed on precisely what the term should mean. Reason enough for us to take a closer look at the topics of "security culture in companies" and "security awareness"! Because holistic concepts in matters of security are essential today, and above all, in the future.
Security culture in the company - what does it mean?
Culture - a word that, according to the definition in the Gabler business encyclopedia, is understood as a "term for what is materially and immaterially created by man." Accordingly, safety culture is the concept of standards and basic assumptions shared by the members of a company or organization and applied when dealing with safety-related aspects. The idea of safety culture emerged in the late 1980s in the wake of the Chernobyl nuclear power plant disaster. As with the term "culture," a distinction is made in a company's safety culture between tangible and intangible characteristics:
- The immaterial safety culture comprises the norms and values that are shared by the members of a company and integrated into the work process.
- The material security culture describes technical and organizational procedures that prevent disruptions directly at the point of origin.
And what does security awareness mean?
For security concepts to become a security culture in the company, a process is needed. Namely, the process of making the entire workforce aware of existing security problems. This can be done through regular training sessions (which is particularly appropriate in companies with a high employee turnover), through training courses and guides. If all employees have the necessary "awareness" of existing security risks and everyone involved is clear about what to do in the event of security-relevant incidents, then security awareness has been achieved.
Security Awareness: The Elementary IT Security Concept
IT systems are in daily use in virtually every company. Accordingly, a pronounced awareness of cyber security issues - security awareness - is a fundamental measure in security culture. After all, IT security is only as good as the people who operate the security systems. So how can the threats to a company's IT security caused by employees be minimized? The answer is training, training, and more training! Whether as online training or on-site with employees: Only with sufficient background knowledge of the various forms of cybercrime and the current threats can employees gain the necessary security awareness that has become indispensable during their daily work in a digital world.
The best IT security concept is toothless as long as people remain a risk factor
Most companies have now taken precautions to protect their networks and data from cyber-attacks. However, the most significant risk in terms of IT security is not sufficiently considered in most IT security concepts - and can also hardly be assessed: people. The employees of a company can, mostly completely unknowingly, bring down any IT security. Social engineering, the carelessly used USB stick that is unfortunately contaminated with malware, or the ill-considered click on a link in an e-mail: If employees are not aware of the current cyber dangers, they represent an apparent risk factor. By establishing a security culture in the company, the human factor can be integrated into IT security. But this is anything but an easy task.
This is how a security culture can be established in the company
At the beginning, we talked about security culture as a "concept of standards and basic assumptions" that are "shared and applied by the members of a company. However, for safety culture to be established in a company, it is important not to speak only of "the" members - but rather of "all" members. Because, in fact, a safety culture can only be successfully introduced in a company precisely when all the people working in the company - from the executive board to the management and employees to the customers.
And this is how safety culture can be implemented:
Safety culture starts at the top
All changes within a company must be initiated by senior management. Management is responsible for developing, promoting, and supporting safety policies within the company and ensuring that safety policies are followed. The role model function should not be underestimated! Only if the management exemplifies a safety culture will this concept be accepted in the company.
Define the security concept - and put it in writing!
Mainly when dealing with IT, many employees are still unaware that they pose a risk to security by behaving in an ill-considered manner. Therefore, every newly developed security concept (and thus, of course, every IT security concept!) must be defined and documented, and made available to all employees. On the one hand, an IT security concept should also be understandable to less technically experienced employees. On the other hand, it should show in as much detail as possible which measures are to be observed when dealing with a company's IT. The IT security concept should include the handling of confidential data and the correct use of secure passwords. By the way: The best IT security concept is of no use if employees are not aware of it. Optimized internal communication is therefore also important.
Training and updates
To ensure that every employee is integrated into the security culture, the company's security guidelines must be understood. An IT security concept can be reliably communicated to employees through training, especially if the training and courses are tailored precisely to their different roles (and, therefore, different risks). Moreover, corporate security policies are not up to date for all time. Cyber threats are continuously evolving - accordingly, the security culture in the company must also evolve and adapt to the new threats. Therefore, IT security policies, in particular, need to be updated regularly.
Reward instead of punishing
If an employee disregards the defined guidelines and thereby endangers IT security, this is annoying - but not yet a reason to "publicly pillory" the employee or issue a warning. It is much more efficient to reward those employees who stand out for their exemplary behavior in terms of security culture. On the one hand, this encourages the employee in question to act positively - and on the other, it acts as an amplifier and role model for their colleagues.
Find ambassadors for the new safety culture in the company.
Every company has particularly influential employees. Whether through long tenure with the company or simply through character - these employees can be ambassadors for the safety culture. These ambassadors can actively promote the safety culture within the company - and get critical safety information across in a much more authentic way than any "top-down" training can accomplish.
Beware of the downturn
As with so many new, innovative developments, it can happen with the implementation of a safety culture in the company that the initial momentum of enthusiasm is quickly lost. In the medium term, the fate is a quiet disappearance into "File P". To ensure that this does not happen during the introduction of a safety culture, progress must remain recognizable in the long term. The setting of many small, short-term goals is the order of the day here. On the one hand, this allows employees to see the value of the new processes directly. On the other hand, they feel empowered actually to make a difference through their behavior.
Culture, the "material and immaterial things created by human beings," is far more than just a superordinate concept. Instead, "culture" is the determining factor for success - seen on a large scale for humankind, broken down to a small scale also for companies. By introducing a safety culture, companies can specifically "eliminate" one of the most significant risk factors: The human factor. This is because employees still represent a risk, especially when dealing with IT. No matter how well the IT security team is set up, and regardless of the performance of the protection software used, if an unsuspecting employee plugs a malware-infected private USB stick into their computer, many security concepts are powerless. With the introduction of a security culture in the company, with pronounced security awareness, logically structured, comprehensible security guidelines in the company, and an IT security concept that involves all employees, the vast majority of security risks can be countered.
On the one hand, the security culture needs to be accepted, supported, and lived by all employees. And on the other hand, that the guidelines and behaviors are also communicated comprehensively. If the safety culture can be successfully implemented, the first step toward sustainable, holistic safety in everyday working life has been taken.