How to Develop a Culture of Data Security
- Tobin Conley
- July 13, 2016
Security isn’t an IT issue, it’s an organizational issue. And it’s a project that never ends. You don’t set it and forget it—security requires continual attention not only from the IT team but from every person on staff.
That sort of ongoing attention to security requires a special type of workplace culture. Ideally, everyone on staff understands the role they must play in keeping their organization’s network and data safe from cybercriminals and other security threats. But if that’s not the case at your organization, here are some practices that will help you foster a culture of security.
Make the case for a culture that places value on guarding the data entrusted to your organization.
Cultivating a culture of data security requires a different set of skills than the ones the IT team regularly uses. So who spearheads this kind of cultural initiative? It may be your forward-thinking CIO, your CEO, internal communications, or even HR.
After all, this is an internal marketing job more than an IT job. Since you’re promoting a cultural change, it could even be defined as a change management project. You’re trying to get the attention of staff and convince them to change their habits. That’s no easy task!
The person in charge of this initiative must have a high level of communication and persuasion skills—a high EQ (emotional intelligence). You may want to enlist the aid of a partner on staff who has the requisite soft skills, if you don’t, and is motivated enough to accept the challenge of helping make the case for data security.
Recruit security champions.
It takes more than one person to change a culture. You need a team to help you reach and persuade everyone on staff. Train a group of security champions or ambassadors. Once they understand how critical it is to build a culture of security, they can help colleagues develop good security habits.
Elevate the security discussion.
Security awareness starts at the top—in the C-suite and board room. If you want to build a culture of security at your organization, you need to start with the influencers at the top of the organizational chart. You’re going to need their buy-in, literally and figuratively.
Focus security training first on the C-suite, senior staff, and department heads. The C-suite is often the target of phishing (social engineering) attacks—they need to know what they might be up against. Plus, they set the example for others. If they don’t value security and follow the rules, their direct reports won’t either.
Help staff develop good security habits.
Staff has a critical role to play in security—they’re the first line of defense. Some of them may have to abandon risky habits and develop safer ones. In the interim, they may feel inconvenienced by “your” rules. Most importantly, they need to recognize when a security threat is occurring or likely to occur.
A behavioral change of this magnitude won’t happen unless your team—IT staff, security champions, and leadership—has established relationships with staff based on trust, communication, and support.
- Does staff understand the reasoning behind security policies and procedures?
- Does the IT team meet regularly with other departments to discuss business processes, needs, and concerns? Do you even have a relationship with other departments?
- Is staff likely to go to the IT team if they’ve made a mistake that could threaten data security?
Make security concerns personal.
Security is a concern at home as well as work. Let staff know that your organization’s security awareness training will also help them prevent security threats, such as phishing and other social engineering attempts, which could affect their personal and financial data.
Remember those Nigerian prince scams?
Paint a picture. Use stories when possible. People relate to and remember stories and images more than directives. They also provide context and relevance for complex issues. Talk to staff about security incidents in the news. Explain how these incidents happened, how they impacted the organization, and how they could have been prevented. Describe how the same thing could happen to your organization—or to any of them as individuals. Help them understand how, yes, this can happen to you and here’s how.
Customize your message.
People on staff use data and technology in different ways. Some of them use personal mobile devices for work, others don’t. Some have access to member data, others don’t. Don’t deliver the same training message to everyone. If what you’re saying is irrelevant to somebody, they’re going to tune you out. Instead, meet with groups of staff who do the same type of work or use the same type of technology.
Provide training bites, not buffets, to keep them coming back for more.
Attention spans are short and getting shorter. Don’t overwhelm staff with information they’ll never remember. Share security stories (lessons) via staff meetings, coffee breaks, emails, videos, collaboration platforms, and good old-fashioned signs in common areas. Provide a comprehensive resource online that can be accessed whenever someone has a question.
Pay extra attention to social engineering.
When the security company McAfee sent out a ten-question Phishing Quiz to their customers, only 3% of 30,000 participants aced the test. It only takes one person to click on a malware link for a hacker to penetrate your perimeter defense.
Social engineering training for staff is a wise investment. Let staff know ahead of time that you’ve hired a firm to deploy phishing attacks. If someone falls for the phishing attempt and clicks on the “bad” link, they’re told they’ve been phished and must watch a video about social engineering and phishing.
Reward security-conscious staff.
Encourage staff to find security vulnerabilities and bring them to your attention. For example, reward the person who ’fesses up and tells you about a workaround that’s used because an existing process is cumbersome. Work with staff to find process fixes that aid productivity and close up any vulnerabilities.
Security begins with trust—and you.
Creating a culture of security requires a relationship of trust between the IT department and the rest of staff. The IT team must be seen as solution providers and partners in productivity, not rule enforcers and progress obstructers. Once you’ve created a security-conscious mindset within your organization, you can start to feel more confident about your ability to protect your data assets.
What does your overall security picture look like? Download our infographic, Is Your Organization Protected from Cyberattacks?, to see if your risk of a security incident is elevated.