5 minute read 28 Oct 2022
Cybersecurity culture

Are companies paying enough attention to cybersecurity culture among employees?

By EY India

Multidisciplinary professional services organization

5 minute read 28 Oct 2022

Here’s why it is imperative that companies focus on building and sustaining a culture of cybersecurity.

In brief

  • A robust cybersecurity culture is built around employees who understand the impact of their actions, however small.
  • We need to understand that in any system, humans are the strongest asset but can also be the weakest link. Security culture is primarily for the humans, not for the computers. 

If the past few years have been about increased connectivity and digitization, they have also been about the increased cyber risks. The EY CEO Outlook Pulse Survey conducted in October 2022 finds that 31% CEOs think that among the greatest risks to their businesses is the cyber security risk.

The advent of new technologies such as cloud computing, big data, artificial intelligence, and the Internet of Things have made today’s IT world a lot different than what it was a decade ago. As the technology has been evolving substantially, so have the cyber criminals, with attacks getting increasingly sophisticated. 

The pandemic’s role in pushing companies of all sizes and sectors toward adopting an always-online mode and cloud and other cyber technologies is accompanied by a whirlwind of scams and fraudulent activity hitting companies in 2020 and 2021 with cybercriminals targeting employees’ access to the organization’s systems. 

In this time of digital disruption and increased cyber threats, many companies are focusing their cybersecurity efforts on the technology component—to the detriment of the human factor. When data is compromised, often it’s tied to negligence or failure in the cybersecurity system within the company or from a third-party working with the company.

First line of defense: Employees 

It is imperative that companies focus on building and sustaining a culture of cybersecurity and cultivate it in the workplace for effective cyber risk management. This would entail moving beyond the typical strategy used in which most businesses simply allocate a certain portion of their IT budgets or revenue to security without considering their actual needs. The approach must include helping employees realize that the risk is real and that their actions can have an impact on increasing or reducing that risk. Companies’ cybersecurity blanket must also include third-parties and others on their IT architecture.

Effective cybersecurity necessitates a persistent effort that covers employee behavior, third-party risks, and numerous other potential vulnerabilities in addition to application security, penetration testing, and incident management.

Enterprises spend millions of dollars on hardware and software but may neglect the simple act of properly training their employees on security practices. Teaching employees to recognize threats, curb poor cyber behavior, and follow basic security habits can provide the best return on investment. However, the benefits can be difficult to measure and therefore justify the expense. Trying to quantify the return on investment in employee training and building a culture of security can be difficult to sell to upper management. In many cases, management may not believe that just training their employees can reduce their exposure to cyber losses.

An example of cyber-attack using the employee route is phishing emails. In fact, 90% of data breaches start with a phishing email, according to a threat trend report by an IT major. Yet most employees believe they would know how to recognize a phishing email and would not act to the request in the email. However, at least one person clicked on a phishing link in around 86% organizations, finds the threat trends report mentioned earlier. With nine out of 10 ransomware infections coming from some form of phishing event, investing in employee training about phishing emails and other methods can reduce risk significantly.

We need to understand that in any system, humans are the strongest asset but can also be the weakest link. Security culture is primarily for the humans, not for the computers. Hence, it is important to instil the concept that security belongs to everyone by creating programs that cater to region, department, and role so that people understand that security is part of the organization’s culture. 

Steps to building a cyber security culture

Core to creating an effective cyber security culture is recognizing that people too make an organization secure, not just technology. If people are the weakest link then they are also the best response to cyber-attacks in cyber security chains. Therefore, it’s critical to foster an environment where employees have the knowledge and the instinct to be the first in the line of defense. 

Although the introduction of certifications like ISO 27001 and Cyber Essentials has encouraged policies, standards, and processes to improve cyber resilience, these measures are only present at a framework level. Hence, companies must ensure that the criticality of the framework trickles down to the people.

Corporations should nurture a cyber security environment in multiple ways, starting with cyber-savvy boards. It's critical to make sure that cyber risk gets the attention it needs, especially given the rise in public security breaches, employee moonlighting, data theft, and the frequency of economic interruptions brought on by cyberattacks. Boards of directors and leaders should be a part of the special committees that examine cybersecurity issues in a private setting.

According to a survey of senior management conducted, 64% workers are now working from home. To effectively reduce threats from a security standpoint, companies need a complete overhaul of not only policies and technologies but a large investment and effort on the people. To assure security in the new hybrid workplace culture, businesses are expected to invest in training their staff about cyber security, enhance their awareness, and make them understand their roles and responsibilities. 

Companies need to design and execute a culture change strategy to make employees and other parties realize that every action matters in cyber security. Cyber culture is a concept that goes beyond routine phishing simulations and annual training sessions.

Summary

We believe that when employees are truly engaged, they can act as allies of their IT and cybersecurity teams.

About this article

By EY India

Multidisciplinary professional services organization