Cyber Security Cultural Change for SMEs

The war with cyber criminal scumbags wages on, and unfortunately the battle is still being lost by the good guys. Luckily we're yet to unleash our greatest arsenal in full. No, it's not AI, it's not tech, it's not process, it's people. People are the biggest target, and people therefore are the greatest asset if they know how to identify and respond to IT scams.

Now broadly speaking there are three simple levels of awareness maturity:

1) We've done nothing. Yeehah, pow pow shooting from the hip!
2) We've done awareness training. That's enough right?
3) We've done awareness training, and we strive to embed awareness into the corporate culture so it's always front of mind for staff. #kickinggoals

Make no mistake - achieving number 3 is where the battle is won! You did awareness training? Great, now what? How do you keep information current, how do you keep people thinking about IT security daily, and constantly making good decisions?

And for SMEs with (typically) no defined IT security budget and limited staff, how can this be achieved? Here are some pointers:

  • Organise for a tattooist to come onsite for a day and tattoo "IT Security is Everyone's Responsibility" onto the foreheads of all staff. Or just pick a slogan, and maybe put up a poster or two here and there. Difficulty factor = Low.
  • Assign someone to the role of "Cyber Champion", or whatever you want to call it. "Chief Scam Hunter" works well too. Ensure they are interested in IT stuff, and have time formally allocated for the responsibilities. Difficulty factor = Low.
  • Once a week they could stand up at a staff meeting, and share an IT security tip or issue. Difficulty factor = Low.
  • Share email attacks (images only), what was learnt, how to improve. Perhaps the company is being targeted so all staff can be informed. Don't forward the scam emails with dodgy links or attachments. If you do that, you are not the right person for this role! Difficulty factor = Low.
  • Be the "go to" person for when someone is suspicious and doesn't know how to act. Be approachable and super nice! Difficulty factor = Low.
  • Own and manage policy development around IT security. e.g. "Use of IT Systems", "Bring Your Own Device", DR / BCP etc. Difficulty factor = Hard, but engage IT support if you can.
  • Always be encouraging and nurturing, and if people aren't acting correctly, give them additional support / training. Run a few competitions regularly for people who are kicking IT security goals. Maybe they get movie tickets, not very expensive. Difficulty factor = Low.
  • Build up a list of content around IT security to use as your knowledge base. That can be used to distribute snippets to staff reguarly. If you had cyber security awareness training, use what you learned from that. You did learn something right? Difficulty factor = Medium.
  • Follow people / groups / companies on LinkedIn. e.g. The Cyber Security Hub, or use the SANS Security Awareness resources. There are countless goldmines of up to date information out there to use. Difficulty factor = Low.

Corporate culture will be the greatest challenge companies will face in the battle against IT crime, and simple things like this make all the difference!

Get in Touch

Contact Details