Building a culture of security is substantial to any organization. Having a culture built around security, can help an organization create and maintain cyber resilience and a strong business environment. A nonexistent security culture can quickly lead to vulnerabilities and incidents in an organization. Employees should work together in teams, rather than alone. People working solely may not try to help better the security, but have their own personal intentions as a rogue employee. Teams of employees should be working towards similar goals and should be excited about the work they are doing. When employees are motivated and excited about their work it can be seen in the results. Sharing responsibility can also avert and mitigate the likelihood of an attack. When organizations commit to creating a security culture there is more organized and disciplined operations, deceased risk, and increased stakeholder and customer trust.
Implementing a security awareness and training program within your organization can help enhance the security culture. According to Shred-it 2016 Information Security Tracker Survey, 78% of small business owners in the US and 51% of C-Suite report only hold employee training programs once a year or less. 28% of small business owners reported that they have never trained employees on company security procedure or polices. It is important that organizations prioritize and emphasize the benefits of employee training. An effective security training session held monthly or bimonthly can limit the unintended risks exposed to an organization, mitigating the chances of data loss, costs, or reputation damage. It can offer employees the basic skills and knowledge to detect security threats and avoid human error.
When creating a comprehensive security awareness program, IANS Research faculty member, Mike Saurbaugh stated, it should not be considered a destination, but rather a journey. The organization should begin with committing to maintaining a culture of information security. When management commits, it encourages employees to commit as well. When holding training there should be an array of approaches taken from speakers to video training content. A group of employees can be given the task to focus on refining information security practices and to be the eyes and ears of the workplace. Motivate employees by creating healthy competition between departments in games like “Who found the most phishing emails” or “Who reported the most suspected incidents”. Healthy competition will create a healthy and fun environment in which employees will positively impact the organization.
Visualizations can also be placed through the office to remind employees to be aware and take caution in what they do, such as “Don’t forget to lock up” or “Stop! Shred the files”. Follow the Shred-it all policy to instill the mindset into employees to safeguard their information through various tasks. Which can include destroying all documents when they are no longer needed, clearing the desk before leaving, or locking up all documents. Following these simple procedures help maintain a positive culture of information security.
LIFARS offers flexible, security training practices for all organizations. With training that starts with the basics, LIFARS employee awareness training is designed with simplicity in mind, even offering customization, training materials, and real life scenarios.