This October, we celebrate the 20th anniversary of Cybersecurity Awareness Month, an annual event founded by the National Cybersecurity Alliance (NCA) to bring awareness to safer online practices and security culture. This year’s focus is on the importance of password management, multi-factor authentication, software updates, and phishing prevention.
While these best practices are helpful for employees, if your organization as a whole has lax security policies, you are leaving your team, company, and customers vulnerable to cyber attacks. This is especially critical to address if your organization collects and manages sensitive or protected data.
The Link Between Security Culture and Cyber Risk
We followed up with the CIOs, CISOs, and data security leaders we interviewed for the Digital Data Collection & Security report to get more in-depth regarding their opinions on the greatest risk to their data stewardship initiatives. Many of their concerns weren’t related to malicious outsiders but instead to their own employees.
“Sometimes business gets in the way of doing the most compliant thing possible,” one security leader responded. “We have to make sure people know that compliance doesn’t mean we’re secure and being secure doesn’t mean we’re compliant. Many companies look at compliance as a way to gain work, but maintaining compliance is really hard.”
A lax security culture will start to reflect in how employees handle customer data. Even if your organization currently takes measures to protect sensitive data, these efforts will be pointless if you don’t establish strong security policies, training, and accountability across your entire organization.
How to Achieve a Positive Security Culture
Having security policies won’t be enough to achieve and maintain a positive security culture at your organization. And it is risky to assume that your employees are following even baseline security practices to keep data safe. According to IBM Security, poor data handling and mistakes by employees account for 95% of data breach incidents.
Strong security policies and practices should belong to more than your organization’s security team. Being a good data steward of the data your organization collects is everyone’s responsibility, from leadership to HR and marketing.
To make sure your policies are practiced across your organization, you need to make sure every employee at your company feels empowered to engage in ethical data stewardship practices every day.
You need to enforce this stance with ongoing training on:
- Cyber risks like phishing
- Categorizing and protecting sensitive data
- Their responsibility to uphold your organization’s data security policies
But don’t forget to give credit for security success. Mandating security awareness training is necessary for instilling your security policies in employees’ minds. However, this doesn’t mean you cannot also reward the employees who embrace and champion a positive security culture at your organization.
It can be difficult for employees to see the connection between their day-to-day interactions with sensitive information and how that can affect the security and compliance of your entire organization. Fostering a compliant workplace with routine training and open communication about your security policies can help keep employees engaged.
The more your entire team understands a data stewardship mindset, the better your organization will be able to maintain security, privacy, and compliance.
Get More Insights from Data Security Leaders
Interested in learning what other CIOs, CISOs, and security leaders are concerned about regarding their company culture and security policies? Hear directly from them in our eBook, 4 Biggest Threats to Data Stewardship.