What happens to an organization when it has no security culture?

Let’s begin by looking at what culture is and why it matters. Culture is tacit and elusive in its very nature. It is often unspoken, based on behaviours, hidden in the thoughts and minds of people. We often see it embedded in the organization’s framework: in its vision, mission and values, which can also describe the attitudes it has towards various things. Such as, does it value innovation over tradition? Does it focus on people or processes? Does it embrace change? Or, will it fight it every step of the way?

Observable culture is the way an organization welcomes new employees, comes together (or not) at a time of crisis, manages performance, celebrates birthdays, responds to change and ideas or treats its customers and vendors.

Culture is also the way you go about your day-to-day work when no one is watching. This was highlighted when we moved to a remote working situation as a result of COVID-19 and witnessed an uptick in cyber incidents and successful breaches.

We are all familiar with the term ‘toxic culture.’ This describes an organization that is not a nice place to work. People are mean, no one really wants to come to work, bad behaviour gets rewarded or ignored and the general perception is not at all positive.

This depends on who you ask. In November 2019, KnowBe4 commissioned Forrester Consulting to evaluate security culture across global enterprises. In this study of 1,161 people, 758 unique definitions were given for security culture. Those 758 unique definitions were then broken down into five different categories based on the general sentiment reflected in each of the proposed definitions. Here is the breakdown:

While all the responses are correct in their own way, one stands out as it incorporates them all, and that is the 12% of people who said that a good security culture meant that security was embedded into the organization.

A good security culture is where people make the right decisions when it comes to security, are aware of the threat landscape, know what red flags to be on the lookout for, report all suspicious activity and understand their role in cybersecurity as the human endpoint.

A (cyber)security culture is not just completing training or reporting phishing emails. It’s the unseen and sometimes unmeasurable situations that occur and the subsequent response. Let’s look at the benefits of having a culture of security versus not having one.

The following situations are from the point of view of the human - your users - and represent what is going on in their minds when they're presented with a security-based situation.

Situation 1 – A phishing email (malicious email) arrives in an inbox from a bank. It has multiple grammatical errors, a link that is clearly suspicious, multiple font sizes, is unformatted and the sender’s email address is clearly fake.

Situation 2 – A USB device is found on the floor of an office corridor with ‘Payroll 2022’ written on it.

While these situations seem second nature to those of us who live and breathe information security and cybersecurity, they are not second nature to everyone else. I promise you that this is exactly what your people are thinking and doing every single day.

It’s true. Every organization already has a security culture whether you like it or not. The challenge is to understand it as it stands today, define what you want it to be and go about making that happen.

To understand the security culture you have today, you need to ask some questions, make some observations and take the time to document what you discover.

Start by asking: Do your people understand the impact to your organization if a breach were to happen? Are they aware of the cyber threat landscape? Do they lock their devices when they step away from them in all situations? Do they follow existing policies (internet usage, clean desk, reporting incidents, etc.)? How do they respond to phishing and other social engineering? Do they consistently create insecure workarounds (use a personal Dropbox or unsecured personal devices at work, etc.)?

Once you have an idea of where you are, it's time to consider, discuss and define what your organization's security culture should be.

The KnowBe4 Seven Dimensions of Security is a great place to start as it looks at the following elements:

1. What attitudes do you expect your people to have towards security?

2. What behaviours are you wanting to change or see?

3. Do your people have an understanding, knowledge and sense of awareness?

4. How do you go about communicating with your people and do they feel like part of the solution?

5. Have you considered and included your people in your policies and do they know what to do?

6. When it comes to the unwritten rules of conduct at your organization, have you thought to include (cyber)security?

7. Lastly, and perhaps most importantly, as without it you are doomed to fail, do your people understand why cybersecurity is everyone’s responsibility and that they have a critical role to play?

Once you have the answers to these questions, you are well on your way to creating and nurturing the security culture that you want. From here, the next step is to ask your people a set of questions using our Security Culture Survey from our Security Culture Report 2022, which gives you a baseline for the Seven Dimensions of Culture.

Ask, does my organization care about security? Which areas of the business are least and most security-minded? Which employees are most risk-averse? How strong or weak is our security culture? In what part of our organization do we need to improve security culture? And, how effective is our security culture programme?

In addition to answering operational questions like those above, the Security Culture Survey provides you with indicators for reporting your organization’s security posture to the board or executive team. It also gives you a starting point to implement awareness, education and training across your organization.

Now back to the initial question: What happens to an organization when it has no security culture? Let’s flip it to this: What happens to an organization when it has the security culture you want?

Building a strong and positive security culture as defined by you is an effective mechanism to influence your users’ behaviour and, thereby, reduce your organization’s risk and increase resilience.