How To Build A Culture Of Cyber Security In Your Business

businessperson checks cybersecurity on laptop

Cyber-attacks are more prominent, far-reaching and impactful than ever. From the major incidents that dominate front pages and cause geopolitical confrontations, through to the plague of scam emails that businesses and individuals deal with on a daily basis, there’s been a constant increase in the volume of attacks over recent years. Industry research suggests that UK businesses are now hit by a cyber-attack on average every 45 seconds, while BT has seen a 50% increase in malware traffic over just the last six months.

As a result, cybersecurity is now an issue that all businesses are thinking about on a daily basis, rather than being something that’s considered a problem for IT teams to deal with. It’s now seen as the most important business consideration after COVID-19, with the massive changes in our working and personal lives since the beginning of 2020 completely reshaping traditional security models. Organizations of all sizes are therefore having to either rethink their cyber strategy or rapidly implement one if they hadn’t already.

Ultimately, cybersecurity now needs to sit at the foundation of all organizations’ strategies and decision-making. Yet while large organizations often have entire teams dedicated to security, many smaller businesses with limited resources struggle to know the best steps to protect their organization. There are a few key steps that you can take to do this:

  • Understand the risks – it’s crucial to know what different types of cybercrime there are and how to identify them, as they could lead to anything from sensitive data being stolen, to your website going down, to blackmail and extortion. Take time to understand what types of cyber-attacks you are most vulnerable to, and how you can prevent them. The National Cyber Security Centre’s Small Business Guide provides great practical advice.
  • Get the fundamentals in place – for example: always make sure your operating system and programs are updated to the latest version to protect against the latest threats; make sure you have anti-virus on your devices; create a different strong password for each account that you use; enable multi-factor authentication (i.e. a combination of more than one log-in steps) where available. Further guidance is available here.
  • Back up your data – All businesses, regardless of size, should take regular backups of their important data that can be easily accessed and restored. By doing this, you are massively less susceptible to things like ransomware attacks. Identify the essential data that you could not function without, and ensure it’s backed-up via the cloud or on a separate device from your main computers.

These steps are really important, but equally vital is that you consider the security behaviors and culture that you put in place across your business. The best security processes and technologies can be (and regularly are) undermined by human error, so ensuring that your people think and act securely is paramount. Make sure all your staff knows the importance of their individual actions and the right steps to take – for example, knowing how to spot a phishing email, and what to do if they’ve clicked on a malicious link or seen a cyber security issue.

However, you cannot base your security on the belief that your people will get it correct all of the time. Mistakes will always happen, as cyber-attacks become ever more complex and harder to spot. Never punish users who are caught out – users who fear reprisals will not report mistakes promptly, if at all. Instead, build a culture where users can report when they’ve clicked on a phishing link, as this can give you a vital headstart to scan for malware and change passwords before you’re breached.

People are your first and best line of defense, and many of the biggest cyber risks still result from the decisions people make on an individual basis. Creating a culture where each and every one of your employees feels responsible for security is key. Training provides an obvious way to educate your people, but it’s not just about telling them what not to do. You need to explain the importance of thinking securely, and how it benefits them as individuals as well as the wider company.  

The stakes are huge – not just in terms of the risks, but also the rewards. If you can ensure that security isn’t just a blocker or inhibitor, but rather an enabler that helps you to safely adopt new technologies and processes, you’ll not only be more secure, but also gain a real competitive advantage.

This article was originally published on CBI.