Corporate culture is a popular buzzword, although the concept has been around since the 1980s. As a term, it can be hard to define and measure because it refers to employee morale and satisfaction. In essence, corporate culture refers to how it feels as an employee to work at a business. And it can be important in more ways than just ensuring employees want to come to work every day.
Cybersecurity and corporate culture may sound like two unrelated things. But the often unspoken rules and ideas that create the fabric of an organization’s culture can have a grave impact on cybersecurity.
We spoke with Jeremy Clopton, Director at Upstream Academy, about corporate culture. He explained why corporate culture should be an important part of your cybersecurity strategy.
Corporate culture starts at the top
“If leadership doesn’t view cyber risks as important, it’s going to be really hard to get your employees to take them seriously,” said Clopton.
Regardless of written policies, attitudes from the top can trickle down the corporate chain. If you want employees to behave a certain way, make sure leadership is demonstrating that behavior.
For example, cybersecurity training is not typically something people look forward to. It is often viewed as a hassle or irrelevant to the employee. But if your corporate culture emphasizes the benefits of cybersecurity, employees are more likely to take training seriously. This is especially true if your leadership is engaged in the training process.
The human factor in cybersecurity risks
Employees are the first line of defense against cybersecurity threats. And some employees are more likely than others to be targeted for phishing attacks, said Clopton.
Phishing is an attempt to trick someone into turning over sensitive data, like account numbers and passwords. Phishing attacks come most often in email disguised as reputable businesses. Employees without proper training are less likely to recognize phishing attempts and more likely to hand over sensitive data.
Poor use of passwords is another area employees can put your business at risk. Employees may be using default passwords, passwords that are not strong enough, or passwords associated with unprotected accounts. If an employee uses the same password for business applications as for their personal accounts and then their personal account is compromised, it could put your business at risk.
Ideal corporate culture
According to Clopton, you need to create a corporate culture that embraces the idea of protecting the organization. When you emphasize cybersecurity as the responsibility of everyone, you instill employees with a sense of ownership in the protection of your business. A workforce engaged in the idea of keeping your business safe is going to be receptive to training and more aware of threats and how to avoid them.
Clopton also recommends creating an environment where employees are not afraid to ask questions or report suspicious activity. A person worried about being ridiculed or fired for falling victim to a phishing attack will be less likely to report an incident when it occurs.
Ensure you have efficient methods of business communication and conduct training often. Clopton recommends “bite-sized training” every couple of weeks. If you cover everything in one long training, then never discuss it again, people won’t remember everything they were taught.
You also want to keep your training current as modern threats morph and change. Keeping on top of the latest trends and threats can seem daunting, but if you work with a managed IT services provider they can do the hard work for you.
If you’re not sure where to begin, consider an honest assessment from an IT expert to analyze your current system and how it can be improved.