Human Firewall: How to Successfully Build a Cybersecurity Culture

IT security not only depends on the infrastructure and security technologies used, but also to a significant extent on the people who use the digital systems. While the security technologies used are now highly reliable, people are increasingly becoming a weak point. Cyber criminals usually look for the easiest way to obtain data or penetrate a network - and this way too often leads through uninformed, uninformed employees. Establishing a functioning culture of cybersecurity, regularly sensitizing all employees to existing threats and integrating them into the security concept as a "human firewall" is crucial for a company's overall IT security today.

What is Cybersecurity Culture - and why is it so important?

The term Cybersecurity Culture refers to a continuously heightened security awareness among the employees of a company. The Cybersecurity Culture includes behaviors, specific knowledge about possible cyber threats and the conviction of the people involved to proactively counter these threats through their own actions. Currently, unfortunately, a Cybersecurity Culture is either non-existent or very weak in many companies and organizations. While companies have massively expanded existing security technologies in recent years, workforce training is often neglected. A global study conducted by the training specialist KnowBe4 reveals alarming gaps in knowledge, especially when it comes to basic behavioral skills. For example, a quarter of all employees use only one password for all accounts - and the same number still use passwords that are far too short or simple, despite all the educational campaigns. A shocking 77% of all employees do not protect their passwords from unauthorized access. Why is there such a discrepancy between the actual and desired cybersecurity culture?

The latest Cybersecurity Culture Report provides the answer. An overwhelming proportion of employees simply do not know how he or she can improve protection against cyber threats in the company through their own actions. Or to put it in figures: currently, only three out of ten employees know their area of competence and their role in the topic of cybersecurity. One thing can be concluded from this: cybersecurity must focus more on people. Because while technical security measures can reliably fend off attacks, cybercriminals are increasingly relying on psychological manipulation. Social engineering is used to exploit human vulnerabilities, and to a greater extent than ever before. So it's time to build a functioning cybersecurity culture!

9 steps to build a successful cybersecurity culture

Is your company well enough prepared for an emergency? Do your employees have the expertise to respond appropriately to a security incident? Are the company's security processes regularly tested with planning exercises on the technical side and, more importantly, at the executive level? If not, be sure to follow these nine steps to a successfully established Cybersecurity Culture.

Step 1: Comprehensive education

In many organizations, employees simply don't know the value of the data that needs to be protected through personal use. Whether it's sensitive customer data, research results or the next marketing campaign, a comprehensive education campaign can get everyone "on board." The more openly the company's - and therefore each individual workplace's - exposure to cyber threats is communicated, the more understanding for behavioral change can be achieved.

Step 2: Present technical inadequacies

The workforce certainly knows that the technical security measures deployed by your company are not perfect - but many employees still rely on the protection provided by firewalls, antivirus software and "IT". It is therefore even more important to clearly and precisely point out technical vulnerabilities and make it clear that the best technology is only as reliable as the people who use it.

Step 3: Explain new protection measures

Two-factor authentication or the use of a VPN are valuable protective measures from a security perspective. For colleagues in administration or production, however, such measures initially complicate daily work routines. Therefore, make your staff aware of new protective measures by providing regular information updates. Explain the purpose behind the technology and clearly highlight the benefits it brings for everyone within the company.

Step 4: Break down barriers and simplify reporting

In many companies, there is a persistent prejudice that contacting the IT security team means you have done something seriously wrong. Fear of warnings or even job loss leads to "radio silence" - as a result, the security teams don't even notice many incidents in the first place. So for a functioning Cybersecurity Culture, be sure to simplify the contact process. If the workforce knows how to report suspicious mail or verify the authenticity of a call without barriers, they'll be happy to take advantage of the opportunity. Especially if it is routinely communicated that security incidents are in no way the "fault" of the person reporting them. It is much more important to take the correct actions and be well prepared if the worst happens. It is helpful to have ready "emergency manuals" for a functioning incident management system.

Step 5: Refrain from punishment

Parents know: Punishing mistakes is significantly less efficient than rewarding good behavior. At best, the "fear" factor can be used to gain consent for measures - but not acceptance. And this is precisely what companies need for a functioning cybersecurity culture. Therefore, focus on encouraging correct behavior - and forget about any form of punishment for employee misconduct.

Step 6: Learning is easier when it's fun

Training in the area of cybersecurity is an indispensable measure. Unfortunately, training sessions are far too often delivered as presentations of entire catalogs of measures that scare, bore, or alienate the audience with incomprehensible "tech-speak." To ensure that the workforce takes the topic of cybersecurity seriously, training that is fun belongs at the top of the agenda. The more comprehensibly the topics are presented and the better the content is linked to real experiences, the greater the willingness of the audience to actually internalize the messages.

Step 7: No abstract content, but tangible reality.

When it comes to training, the content can't be practical enough. Using examples from "real life" that the audience ideally knows from the news or their own experiences, you can make the content stick in their minds for a long time.

Step 8: Involve executives

Senior executives in a company have the most extensive access to sensitive data and systems. Accordingly, they often find themselves in the crosshairs of cyber attackers. Unfortunately, senior executives in particular are known for their tendency to ignore measures for good cyber hygiene. Therefore, executives in particular must always participate in training sessions just like all other employees, without exception. In addition, executives should be aware of their exposed position and think and act as role models.

Step 9: Develop and implement cyber defense strategies

The prerequisite for permanent incident response readiness - and thus a functioning cybersecurity culture - is the development and implementation of a comprehensive cyber defense strategy. This is the only way to ensure your teams' ability to detect, defend against, and mitigate complex attacks.