The Cyber Security Culture

What do I mean when I say “cyber security culture”?

The next article here on CyberAwake will be the fiftieth and we have not really got into cyber security culture. So far we have looked at a wide range of topics from the obvious ransomware, to proving who accesses your information, Microsoft Office Macros, the insider threat and thinking about who knows more about your cyber risks than you do among other things. But for the next few articles we are going to look at how you can create a great cyber security culture in your organisation.

We touched on culture when we discussed that a “blame culture” in an organisation is the threat actor’s best friend – if people are going to be blamed, they will keep quiet if they can get away with it – allowing that ransomware encryption to get everywhere…

But where do you start?

Communications and your cyber security culture

This is not where a complete board level programme for creating an effective cyber security culture should start, but it is a step that you can implement today, right after finishing this article.

The Cyber Security Culture Cyber Awake
A great cyber security culture has a calm effective means of reporting incidents

Report an issue!

Create a clear and simple reporting process, that anyone can report anything to that they feel may impact the cyber security of the organisation. The obvious is a suspicious issue with their PC – maybe they opened an email attachment or the computer is behaving oddly – for this there should be a number to call to connect them to the technical team. (You should read these articles though – Minimise the Damage and Pull the Plug: But I haven’t got a plug!.)

However a good cyber security culture does not stop there. Why not have an email address to a board level or senior manager where they report other concerns, such as:

  • Cyber security issues they spot.
  • A policy or procedure that they feel does not work right.
  • An article they have read that highlights an issue that applies to the organisation.
  • Bad working practices – although this should not be a place to snitch!
  • Etc. etc. – Run some training so your team know it is an open forum and what you all can gain from it.

That Fiftieth Article…

This is just a quick start to culture, more to come.

You will have to wait until next week for that as I am attending a cyber security conference and on a writing retreat for the rest of this week.


Clive Catton MSc (Cyber Security) – 
by-line and other articles

References

Morillo, C. (2021). 97 Things every information security professional should know: Collective wisdom from the experts. O’Reilly Media, Inc.

Further Reading

Microsoft Office Macros – The Good, The Bad and the Ugly

Ransomware – A Primer

More on MFA and your risks when using it!

What do you know about your website?

The Insider Threat – the threat landscape and the first steps…

The Blame Game

Featured image by Nandhu Kumar

In text image Ivan Samkov