The pace and severity of data breaches have cybersecurity professionals on the frontlines in a constant battle of what seems to be an unwinnable war against cybercriminals. The headlines are worrisome and have led to many sleepless nights for executives and IT leaders at small and medium-sized businesses (SMBs). The good news is that leadership can have an immediate and lasting impact on defending their organizations from the enormous impact of a cyber incident. The secret weapon: a company culture focused on cybersecurity – one that puts a priority on operating securely and authentically and resonates with staff.
Creating a culture of security takes work and time; it is a journey, not a destination. With the right mix of business processes, education, and tools, your business can develop a strong, security-centric culture.
Creating a culture of security starts at the top. If you and your C-suite are on board with creating a culture of security, the following steps are pretty straightforward:
Write and enforce an Acceptable Use Policy.
All employees should understand and apply the ground rules for using company resources and devices. Can they access work email from their home PC and mobile devices? Can they access personal email while on the network?
An Acceptable Use agreement spells out what is and isn't permissible and speaks to consequences – up to and including termination – for non-compliance with the policy.
The policy should be updated at least annually, and all employees must review and acknowledge the policy.
Document and comply with your internal Information Security Policy.
Which steps has your organization taken to maintain and enhance your security posture? How are you protecting your customer and employee data?
An Information Security Policy (ISP) is the document that sets your internal standard for security. It might say, for example, that “all employees receive security training twice per year.” It’s then up to leadership to make sure that this policy is indeed complied with.
Simply going through the exercise of creating an ISP will force your organization to pose and answer tough questions.
Write and follow your Business Continuity Plan.
Which steps has your organization taken to maintain and enhance your security posture? How are you protecting your customer and employee data? Having a documented Business Continuity Plan (BCP) that prepares for the "worst" demonstrates to your clients, employees, and stakeholders that you can maintain operations when faced with disaster.
Having a plan to react in a challenging business environment, like a pandemic, allows organizations to maintain client satisfaction and garner confidence in the organization's ability not just to survive but to thrive.
Train your people. Repeat and repeat again.
When was the last time your organization conducted formal security training with the staff? Did you repeat it, institutionalize it, and embed it in your culture?
Verizon’s Data Breach Investigative 
Reports 2023 found that 36% of all data breaches involved phishing. With the advent of AI assisting phishing schemes, this number will surely rise. Given the sophistication of Business Email Compromise (BEC) these days, it's no wonder untrained users are often tricked into letting "the bad guys" into your network by simply clicking on a hyperlink in an email.
Look for solutions and promote Security Awareness Training within your organization throughout the year. Some solutions offer automated monthly/quarterly/on-demand phishing tests, which help keep your users on their toes in between security training sessions.
A security culture is important, but technologies and tools also matter.
Fighting today's modern criminals requires various protection measures to defend themselves from different forms of cyberattacks. To manage evolving cyber risks, conduct an annual Cybersecurity Risk Assessment. This assessment takes a comprehensive look at your environment to determine what security controls and practices you have in place and where there are gaps.
In addition, an assessment should tell you the efficacy of each defense measure; you may have bought a security tool, but are you using it to the level your business requires? Armed with this information, your organization will know where to improve, thereby reducing the risk of a cyberattack.
Creating a culture of security starts with identifying your cyber risks. Click the button below to learn more.
Erik Thomas is the Director of Advisory Services at Systems Engineering. Erik has over a decade of experience with IT, application development, and business operations. His group assists clients with the planning and implementation of IT systems, business development, cybersecurity risk assessments, and addressing regulatory compliance for businesses.
