Developing a culture of cybersecurity within your organization

Nowadays, businesses are regularly using technology to safeguard their documents and their employee’s and customers’ personal information. Even if organizations are installing protection software or have cybersecurity departments on-site, their employees’ actions are a major significant weakness. A recent report showed that a significant proportion of companies’ cybersecurity breaches are committed by employees who do not respect the organization’s information security policies (NTT Security, 2019; SANS, 2018). More than ever, building a culture of behaviour in favour of corporate safety is essential for companies. Precisely, a cybersecurity culture consists of putting into context the behaviours of humans, even employees, in an organizational context to protect the organization’s information through compliance with the information security policy and an understanding of company security requirements. There must be good communication between managers and employees through safety education, training, and awareness on the right initiatives to use to create or improve cybersecurity culture.

Several organizations use or have used in the past the SETA training program (“Security Education, Training, and Awareness” in English) to equip their employees with the risks present on the Internet and the means to guard against them. However, a frequent criticism of these training would be that it would remain difficult for companies to apply the theoretical practices mentioned in these programs in practice. That is why researcher Moneer Alshaikh (2020) conducted a study to find practices that apply to businesses to help create a cybersecurity culture.

To find applicable practices within real companies, three large companies based in Australia were the study’s subject. The three organizations, Insurance1, AusSuper, and Insurance 2 have all received SETA training. They have agreed to share this training’s positive impacts while agreeing to answer interviews and questionnaires.

One of the main observations made throughout this process by the researcher is that it is essential to take the time to decide which areas are a priority to improve the safety culture within the organization. The table below show examples of areas to improve.

Then, the three organizations implemented five themes that often came up to respond to the problematic areas. The goal is to create a tool composed of themes that are easy to teach and apply that are intuitive, short, and easy to remember: 1) Be respectful online 2) Think before you click 3) Think before you send 4) Keep your files and your secure devices 5) Report any suspicious item.

Top 5 cybersecurity behaviours (Alshaikh, 2020)

Organizations have well-received these themes, and companies have also assigned an individual to teach them to colleagues and do follow-ups. Finally, the main interest of this article is the creation of five cybersecurity initiatives. Initiatives that not only help create a cyber corporate culture but are also relatively easy to apply.

“Five key initiatives to transform SETA from compliance to culture” (Alshaikh, 2020)

This article’s contribution is considerable both for the field of research and for its application to companies. These five practical and applicable tips in an organizational cybersecurity program are useful and relevant in the organizations under review and may be used to yours.

To cite: Alshaikh, M. (2020). Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security, 98.