Living in today’s digital age, with all of its exciting technological advances and innovations, also means we live in a constantly evolving state of persistent cyberthreats. A 2022 survey by PricewaterhouseCoopers (PwC) revealed that U.S. executives consider cyberattacks the number one business risk their companies face. And according to the FBI Internet Crime Complaint Center’s annual report released just last month, the total potential loss from cyberattacks in 2022 surpassed $10.2 billion.
Senior executives and board members are becoming acutely aware of the “when, not if” reality, as well as the significant financial, legal, regulatory and reputational consequences of cyberattacks. They also recognize that cybersecurity can no longer be compartmentalized as the sole responsibility of their CISOs or IT departments. The goal of malicious actors is to infiltrate your organization where it is most vulnerable, which is almost never your IT department. A combined organization-wide effort is required to help protect your and your customers’ data from malicious attacks.
Cybersecurity is indeed everyone’s responsibility
With the hyper-acceleration of digital transformation, including cloud migrations and transitions to remote or hybrid workforces, most organizations are already heavily investing in cybersecurity processes, policies and supporting technology stacks – including security information event monitoring (SIEM), managed endpoint detection and response (MEDR) and network access controls (NAC) solutions to bolster their cyber defenses.
Many companies are adopting a Zero Trust Architecture (Zero Trust) framework or security model that is currently a cybersecurity best practice. In fact, according to Statista, 80% of organizations surveyed have adopted Zero Trust or are in the process of adopting it. Zero Trust removes implicit trust, assumes all users, applications and infrastructure can be compromised, and mitigates risk threats with security controls that enable safe and secure use of data at all times in all places.
Foundational to a Zero Trust approach is enabling a workforce of cyber-conscious employees at all levels and across all functions in your organization to help mitigate risks as part of your comprehensive cybersecurity plan. While this may require a cultural mindset shift to drive appropriate behaviors, it need not be thought of nor positioned as independent of your existing organizational culture.
Instead, your cybersecurity strategy should be aligned with your business strategy and core values which everyone should be aware of, experiencing or engaged in while conducting their day-to-day business activities. If you think about the strategic importance your organization places on all of your business imperatives around being digital-first, customer-centric and market leaders with values like trust, respect and integrity, you will find a cybersecurity narrative for each of them just waiting to be included.
As with all cultural-defining initiatives, it starts at the top with executive leadership communicating, modeling, encouraging and recognizing best practice behaviors which lead to desired outcomes for all stakeholders (employees, customers, prospects, partners, etc.) who engage with your brand. And it takes the collective collaboration and expertise of all humans in all functions (IT, security, HR, communications, marketing, sales, customer support, legal, compliance, etc.) to be successful and sustained.
The human factor
One small human mistake or oversight can be devastating to your business, and they are happening much more often than you think. The 2020 Psychology of Human Error study by Stanford University Professor Jeff Hancock and security firm Tessian found that nearly 50% of employees stated they are “very” or “pretty” certain they have made an error at work that could have led to security issues for their company. The top reasons for clicking on phishing emails are the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%). Additionally:
Give employees what they need to do their part
In addition to embedding the cybersecurity aspect into regular communication cascades, use empathetic and emotionally intellectual instructors who can speak in real-world terms to train your employees on effective cybersecurity practices via interactive in-person, virtual and on-demand videos conducted throughout the year.
Simulations, scenario role-playing and gamification have all proven to be very adept at keeping employees engaged and informed, and their experiences are much more fun, positive and memorable. Partner with people managers to provide them with guides that include functionally relevant talking points to further customize the training to what their teams do every day and specific actions they can take to mitigate risks and manage incidents.
The most common types of cyberattacks that all employees should be aware of and trained on include:
And illustrate the practical things they can do to proactively mitigate and escalate potential risks including how to:
Make cybersecurity an integral part of your organizational culture
Network boundaries have changed, and our world is rapidly moving towards systems of distributed networks. While there is no “silver bullet” that can guarantee any business is 100% protected, being intentional about embedding cybersecurity into your organizational culture with learning approaches that improve learning retention will make a significant difference in helping all employees to effectively manage security risks and reduce data breaches.
There are few things more powerful in this regard than a risk-conscious, security aware and well-trained workforce of human firewalls who are super-equipped to be ready, willing and able to take the cybersecurity journey along with your organization.
Learn about Konica Minolta’s cybersecurity services here.