What is Cybersecurity Culture and Why Your Organization Needs It

By Justin Krentz

Recently, we were invited to submit an article to the PA Medical Group Management Association’s (MGMA) monthly e-newsletter – PA Pulse.  You must be a member of PA MGMA to receive the monthly e-newsletter, and we encourage all our medical practice customer to become members of this worthy organization.  While the article was written with medical practices in mind, we feel the information is so valuable, we are reprinting it below. 

As Healthcare organizations continue to further ingrain technology solutions into their daily processes, it is imperative that a more holistic, company-wide approach to cyber security is promoted to combat the increase in sophisticated and targeted attacks.  

Historically, the notion of cyber security was solely thought of as an IT-department responsibility.  Staff assumed that all necessary precautions were being handled, and outside of making sure your password was not on a sticky note attached to your monitor, other departments were absolved of any further involvement.  Well, that has all changed. To keep pace with these fast-moving, ever-changing threats, we must re-think how we view cyber security within all aspects of our organizations.

What is Cybersecurity Culture? 

Cybersecurity Culture (or CSC) refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest in people’s behavior with information technologies. At its core, CSC is a shift away from the traditional fragmented security approach to one that is more sustainable by weaving it into the very fabric of the organization. 

To effectively nurture a Cybersecurity culture in the workplace, it must be driven from the top down. You cannot expect this cultural change to grow or flourish organically, as it will require constant attention and transformation.  Leaders within the organization must be active and enable staff to do what is right when it comes to protecting your company’s data. This is by no means a one-time exercise, but more of a shift in mindset that security is now the responsibility of all staff and we must change how we work.

Best Practices for Promoting your CSC

So how does an organization effectively transition their fragmented security approach to a Cybersecurity Culture?  Luckily, regardless of where your organization lies on the CSC spectrum, there are 4 key processes you can leverage to create the framework for company-wide adoption:

1. Don’t skip the basics

To avoid any confusion or costly mistakes you want to ensure that all staff have an in-depth understanding of your cybersecurity posture and the expectations set forth for each individual. Review items such as password policy, internet usage policy, how to detect spam e-mails and other subjects pertinent to your specific organization.  Included in these trainings and reviews should be real-life examples and the consequences of a laisse-faire attitude towards security. A coherent and well-planned strategy should be baked into the on-boarding process for new staff members to ensure there is not a knowledge gap as compared to more tenured staff.  Additionally, you want to make sure the content is created with the least-technical employee in mind, as they will be your weakest link.

2. Continually educate and inform

Just as technology is ever changing, so should your internal processes and tools that support your security posture. For this reason, there must be continuous education and training. Given that your greatest defense against any attack is a well-informed workforce, they must be educated and apprised of any changes in solutions or expectations.  A key takeaway from this step is understanding that it cannot be done in a vacuum.  You must understand the varying degrees of knowledge within your organization: the security champions, the security aware, the slow learners, etc. and tailor your programs or deliverables based off their level of expertise.  Some may take longer to learn or need more support, and that’s OK.  If everyone is progressing and buying into the program, you’re on the right path.  

3. Measure the effectiveness of your Cybersecurity Culture and adjust accordingly

There are 3 areas that should be closely monitored and measured to evaluate the effectiveness of your CSC: awareness, behavior, and culture.  Awareness is the easiest of the three to measure, as it can be done through online security training and quizzes.  By leveraging any of the various services that offer online training and exams, leadership can review scores to see if any staff fall below an acceptable threshold.  Behavior becomes a bit more difficult as it is best achieved through simulated attacks.  That can be through phishing campaigns, simulated attacks or unannounced hardware checks (i.e. are there any un-locked machines left unattended?). Culture is perhaps the most difficult as it is not as quantifiable as the other two.  Surveys, candid employee feedback, and analysis of sentiment towards the program will help provide the necessary data to measure the level of adoption into corporate culture.

4. Reward/ recognize/ celebrate successes

Look for opportunities to celebrate success!  After everyone completes a training session, celebrate it.  If the organization makes it through the year without any breaches, reward the staff.  Have pizza brought in for lunch, give away gift cards or do something else to show their hard work and dedication have not gone unnoticed.  The return on investment of preventing just a single data breach far outweighs any costs spent to recognize the achievements.

By taking the steps to integrate cybersecurity into the corporate culture, it empowers the staff with the knowledge and wherewithal to identify and combat threats.  Thus, greatly reducing the exposure of the organization and allowing them to do what they do best, provide services to their patients.