How to create a cybersecurity-aware culture in a hybrid world
Much has been written about the need to maintain company culture within the context of hybrid working. Despite the fact that most employees are receptive to more home working, many organisations are fearful that this will have a long-term impact on team spirit and lead to behaviours that don’t adhere to key company values.
Boards have a key role to play here. As this report from PwC explains, boards need to provide oversight on this issue, ask the right questions of management teams, and mitigate the risk of a breakdown in the culture that binds workforces together.
What’s also become clear over the last year or so is that any work that the board undertakes on culture change needs to incorporate attitudes to security.
This is for two main reasons:
1. The threat level from hybrid working is severe
There’s no doubt Hybrid working exposes organisations to increased risk of security breaches. Incidences of ransomware on corporate networks had increased by 72% in the first half of 2020 alone. Cybercriminals are also taking advantage of hybrid working by increasing email based attacks, targeting publicly exposed systems and exploiting vulnerabilities associated with older unpatched devices.
2. Employees lack knowledge and feel disengaged from the issue
One of the biggest reasons why attacks are increasing is lack of knowledge from employees on the seriousness of the threat. One recent survey found that more than two-thirds of workers do not consider the cybersecurity impact of working from home. There is also evidence of push back from employees against home-working security policies. According to research from HP Wolf Security, 80% of IT teams experienced resentment from users in 2021 who do not like controls being put on them at home. The research also found that over half of younger workers were more concerned about meeting deadlines than risking a data breach, and 39% were unsure what their security policies are. As a result, 83% of IT teams believe enforcing corporate policies around cybersecurity in a hybrid working structure is becoming ‘impossible’.
Towards a new approach to security
To address these issues, boards need to work in collaboration with leadership teams to create a new kind of cybersecurity aware culture that is tailored to hybrid working – one where people feel a sense of collective responsibility, recognise the impact of failures and feel valued for playing their part.
To achieve this, we recommend at least 4 key things need to happen:
1. Involve employees in defining your new culture
The best way to start is by initiating an assessment of employees’ perception of new security issues. This will help to establish a two-way dialogue and gain key insight into the problems and challenges employees face with home working – particularly as they try to balance productivity and home life with the need to keep data and systems secure. It will also provide valuable information on how well they understand the threat related to hybrid working, risks associated with all the devices they use (including devices like smart speakers), and what their responsibilities are.
2. Work to establish a climate of trust
At the moment, most employees are reluctant to report a security threat for fear of reprisal. This is unsustainable and is likely to lead to more breaches going undetected. It could also result in a lack of learning from errors that prevents continual improvement in security management processes. To address this, boards should also take on the responsibility of establishing a more open dialogue between employees and managers: encouraging transparency, providing recognition for responsible reporting and driving a more positive cybersecurity aware culture.
3. Establish new cybersecurity policies for hybrid working
From the findings of assessments and reviews, boards should also push for the creation of new or revised cybersecurity policies. These should be tailored specifically to how employees are changing the way they work. They should also focus on establishing new KPIs that leave all employees in doubt as to where they stand.
4. Back policies with training
There is little point rolling out new policies without telling people why they are being implemented and what value they will bring. This means boards should also support leadership teams by backing investments in continual training, education and culture change programmes specific to security. This will help to make sure employees understand and engage with new security policies fully.
More on this topic is available in our new handbook for boards on how to manage the impact of hybrid working on cybersecurity
You might also be interested in our hybrid working and security checklist, which covers all the key questions boards need to consider to make sure they provide the guidance and support the business needs.