CLTRe researchers have been working to identify simple ways that low security culture scoring organizations can build and improve security culture amongst their employees. Unsurprisingly, some of the simplest advice we can give is train your employees.
Recent analysis of over 200,000 respondents across 1338 organizations worldwide, shows that one in five employees lack sufficient cyber security training. Over a third of employees (37%) feel that they do not get sufficient opportunity to read and discuss the information security policies in place. Furthermore, 21% of those surveyed said they receive little or no information about IT security by the company they work for.
Information security policies guide all employees on what behavior is expected and how to conform. If people are not made aware of what good behaviors look like and what they supposed to do, they stand little chance of doing things the way we expect.
Encouragingly, the findings reveal that at least one in five employees realize that there are things that they do not know or should better understand, and would benefit from having more training on. Providing sufficient opportunity for your employees to read and discuss information security policies with colleagues that understand how they’re meant to be applied, can go a long way to help your organization build both its competence and confidence in dealing with cyber security threats.
Here are 4 tips to improve your organization’s understanding and adherence to written policies:
- Take the time to explain the policies, where to find them, and how they should be followed. Increasing understanding, knowledge and awareness of the policies themselves, including procedures to implement them into daily work tasks and activities, is the essential starting point.
- Improve the availability and quality of communication channels to discuss security-related issues and report incidents. This not only helps strengthens their understanding of how important their own role is as a critical factor in sustaining or endangering the security of the organization, it also supports attitudes towards the importance of security in general.
- Provide regular training on security policies and procedures to ensure people don’t forget the basics and keep their skills sharp.
- Internal communication channels should be open and accessible to address any uncertainty and share best practices. Sharing lessons learnt, celebrating achievements, exemplifying correct behaviors, and acknowledging concerns are all proven mechanisms to improve security culture and reduce risky behaviors.