Thoughts: Building a Cyber Security Culture

Thoughts: Building a Cyber Security Culture

Cyber security awareness is often considered to be based on the ABCs. That is:

  1. Make people Aware of cyber security scams that are targeting them
  2. This should result in changes to their Behaviour
  3. Create a Culture of awareness.

So what is the culture part? It's ensuring a number of things like:

  • your company knows your current state, and where you want to go in regards to using staff against cyber crime.
  • staff are suspicious, and knowledgeable on cyber security scams so they can spot them and deal with them appropriately.
  • staff are regularly reminded of awareness topics and rules.
  • staff are informed on new scams, and associated safety rules.
  • staff know where to go to report scams, ask for help, and they feel comfortable doing this.
  • your awareness initiatives are well planned, with consistent branding and timing.
  • management know that staff are the biggest asset they have in the fight against cyber crime, and are nurturing and encouraging.
  • you measure so that you can improve, and you always try to improve.

It's a structured and cyclical process, but it's also something that needs to be customised for every company, because every company is different. Some companies want help to build this capacity internally, while others want someone else to look after it for them.

It's important to note that cyber security awareness training is a subset of cultural change. If you do awareness training stand alone, then you're not really building a culture. But if you want to build a culture, you'll need good awareness training!

Here's a link for more information on our cultural change program.