Culture is key: How CIOs can build cyber-resilience

Culture is key: How CIOs can build cyber-resilience

Nick Emanuel, Senior Director of Product, Webroot and Carbonite, stresses the importance of training to build up an organization’s cyber-resilience.

Given the widespread technology transformations, shifts and disruptions over the past year, businesses of all sizes have been faced with re-evaluating their ability to face ‘unprecedented’ threats, or simply manage new hazards in preventing a ransomware attack.

While some CIOs sought new technologies to eliminate risk and protect the business, others recognized the illuminating opportunity the pandemic presented to take the time and investment to evaluate and strengthen each layer of security.

When reviewing the latter’s changes, one element was visible time and time again: the company’s end-users. Where we’ve found company security culture, with IT leaders at the forefront of it, playing a big role in increasing an organization’s overall cyberawareness, we saw far fewer attacks reaching the endpoint. We saw this for what it is: a real-world example of ‘cyber-resilience’ in effect.

What is cyber-resilience

Being cyber-resilient means being able to withstand and quickly recover from cyberattacks and accidental data loss. Because data loss or malicious attacks can easily derail a business, layered security approaches and a commitment to both data security and protection have emerged essential for today’s CIOs and CISOs.

Businesses know the limitations of traditional security defenses and that cyber-resilience can’t be achieved through technology and process alone but can find it hard to champion or build a viable business program or process around it. True resilience calls upon entire organizations to be educated and aware of the threats at hand and to actively participate to minimize the risks posed.

Taking ownership of cyber-resilience across the whole organization

For employees of all backgrounds, it’s reassuring to know of on-going investment in new technologies and detection methods to help meet a variety of cybersecurity challenges, from blocking threats by mal-actors or nation states to hiring enough security staff to safeguard employees and businesses online.

However, it has never been more crucial that every employee takes ownership of their online behaviors. This is because the most common threat, phishing attacks, are at record highs given the disruption and opportunity that the on-going pandemic presents, and the employee is often the direct target.

In fact, research conducted during the pandemic detailing online behaviors and clicks habits found that in Australia and New Zealand, one in five people reported receiving phishing emails specifically related to COVID-19. 76% of respondents also admitted to opening emails from unknown senders, with over half (59%) blaming it on the fact that phishing emails look more realistic than ever.

It takes time to reach a healthy level of cyberawareness but getting started has been made much simpler by awareness training toolsets or programs. The effects are cumulative and can be measured from day one.

Fostering suspicion into day-to-day online business routines, as well as simple steps such as using unique and strong passwords for all logins, disabling macros from a document and removing admin access from devices can keep end-users safe from a range of common threats. Efforts in building the right employee awareness and behavior should be spearheaded by the CIO and CISO and senior leadership needs to buy in to encourage lasting change. Employees should receive routine updates on cyber-resilience initiatives and progress to communicate priority and importance to the greater organization.

Education and awareness are everything

Simply put, if employees are not educated about cyberthreats, they can’t be expected to completely defend against them. Which is why many businesses are now turning to training and education services specifically geared toward helping employees improve their cybersecurity postures.

Cybersecurity awareness training varies in length and curriculum, but elements can include phishing simulations, courses on security best practices and data protection and compliance training for important regulations like the Privacy Act 1988 (Cth), Privacy Act 2020, GDPR, HIPAA, CCPA, etc.

Training is of course important at onboarding, but regular on-going simulations, engaging content and gamification will create and sustain true culture. To reinforce a cyber-resilient culture, IT leaders should report on successes (like number of attacks blocked) and communicate the latest risks/threats and tips to staff about cybersecurity trends and best practices through internal newsletters, emails and remote check-ins.

Business leaders should incorporate reminders and updates about cybersecurity into team meetings and other important company updates to underscore the importance and purpose of investing in cyber-resilience.

By leading the implementation of appropriate practices and considerations into company culture, CIOs, CISOs and their peers have the power to reduce the risks posed by cyber-criminals by significant margins.

By ensuring staff understand they play a critical role in ensuring security, companies are empowered to protect data and operations and ultimately uphold the trust place in them by customers, employees and stakeholders.

Browse our latest issue

Intelligent CISO

View Magazine Archive