In an era of digital disruption and increased cyber threats, many companies are focusing their cybersecurity efforts on the technology component—to the detriment of human factor. When data are compromised, most often it’s tied to a negligence or failure coming from inside the company, or from a third party working for the company.
Per Accenture’s last High Performance Security Study(1), more than half of the executives surveyed said their greatest security impact comes from malicious insiders or employee negligence. While severity varies, these can lead to severe damages for the company and its reputation.
Companies are implementing more advanced security controls on their infrastructures, applications and devices to protect against intrusions or the leaking of their crown jewels. Furthermore, companies are adopting best practice control frameworks like the National Institute of Standards and Technology(2) or the Federal Financial Institutions Examination Council(3) to further improve their operational controls.
These efforts can be effective, but they are missing one thing: Employees are considered the first line of defense in a company, and to reduce cyber risks, companies are encouraged to infuse the right culture across the organization.
Lead from the top
The risk is companywide, and responsibilities are too. Corporate culture often starts with the tone at the top.
Unfortunately, recent news has displayed several examples of incidents that have been hidden at the executive level, causing harm to the company’s reputation as well as disengagement among employees. Therefore, programs that are designed to improve cybersecurity awareness within corporate culture should include targeted actions at executive levels to promote transparency, reinstate trust in leadership and demonstrate senior management commitment.
Implement and track culture changes
Policies and siloed training can only partially achieve a strong corporate culture. A culture change effort involving human capital aspects as a central piece of the equation with previous learnings, experience sharing, incentives, job profiles and other updates can help drive a sense of accountability and ownership. A culture change tracker made of data collected from surveys, benchmarks, employee experience focus group can help risk and compliance departments predict potential outcomes of the change initiative, monitor the progress and take corrective actions as needed.
Leverage advanced analytics
Acting on culture means being proactive and preventing the risky behavior or activity before it happens. A climate of confidence can encourage employees to continue to declare mistakes or misconduct when they occur. Nevertheless, the “see something, say something” practice is sometime not sufficient.
Leading companies are now using advanced technologies like surveillance, analytics and Artificial Intelligence to connect the dots between cybersecurity metrics (like Data Loss Prevention or vulnerability scans results, patch policy compliance breaches, incidents, etc.) and other data point (such as hiring, training, logging patterns, email communications, compliance incidents) to build a comprehensive intelligent system that helps better understand root causes and uncover new emerging issues before they occur.
A cyber risk culture may not exist in your organization, but implementing cyber risk awareness within the corporate culture is the right thing to do.
- “High Performance Security Report 2016,” Accenture 2016. Access at: https://www.accenture.com/us-en/insight-building-confidence-facing-cybersecurity-conundrum
- NIST – National Institute of Standards and Technology
- FFIEC – Federal Financial Institutions Examination Council