According to a recent study by Experian Data Breach Resolution and Ponemon Institute, Managing Insider Risk through Training & Culture, more than half of the organisations surveyed identified malicious or negligent employees as the cause of security incidents or data breaches.
Encouraging employees to build a cyber security culture
The study found that 67% of the companies surveyed provide no incentives to their employees for being proactive in protecting sensitive information or reporting a potential data breach. Furthermore, one-third of the companies have no consequences if an employee is found to be negligent or responsible for causing a data breach.
Among the organisations that do provide incentives, the report shows that only 19% of the organisations provide a financial reward, and only 29% mention security and data protection practices in the employees’ performance reviews.
According to Michael Bruemmer, vice president at Experian Data Breach Resolution, “Companies continue to experience the consequences of employees either falling victim to cyber attacks or exposing information inadvertently. There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security.”
The complex and inconsistent behaviour of an employee often make it a rich hunting ground for hackers to create employee-induced security incidents. An effective way to address and create a security culture within an organisation is by using the psychology of group behaviour, and by exploiting how and why people follow social and cultural norms.
Organisations that want to understand how to create a culture that promotes cyber security within the workplace can now take advantage of an expert’s experience to understand how many successful and easily preventable attacks occur.
Shift organisational culture with ISO 27001
Organisations that want to demonstrate international information security best practice by embracing the principles of managing people, processes and technology should consider achieving compliance with ISO/IEC 27001:2013 (ISO 27001). The Standard recognises that information security is not just about antivirus software, implementing the latest firewall, or locking down your laptops or webservers.
Those implementing ISO 27001 understand that technology alone is incapable of defending against the evolving nature of information security threats. An ISO 27001-aligned ISMS (information security management system) helps organisations coordinate their security efforts (both electronic and physical) coherently, consistently and cost-effectively.
An ISO 27001-compliant ISMS includes regular staff awareness training, and also measures for surveillance, continual improvement and maintenance that contribute to developing a culture of security throughout the organisation.
In addition, ISO 27001 requires leadership commitment to support the ISMS, which again drives a total culture of security.