Some days, tackling our to-do lists at work feels like spinning plates.
From 9 a.m. to 5 p.m. — or even longer — we hustle between meetings and tasks to get it all done. Wading through an overflowing inbox, we receive an email from what appears to be a trusted vendor requesting a bank update for an upcoming invoice. We quickly make the change in our billing system to route the next payment to the new financial account. Or, warned by an incoming text message that one of our work passwords will soon expire, we quickly upload sensitive details to a platform to keep our account active.
If these scenarios sound familiar, you are not alone. Digital slip-ups can — and do — happen in the workplace.
Today, more than half of all security breaches are due to human error, the Computing Technology Industry Association states. While businesses cannot fully eliminate such mistakes, they can empower their team members to mitigate risk to enhance organizational resilience.
How? By building a cybersecurity culture. The Sloan School of Management at the Massachusetts Institute of Technology defines cybersecurity culture as a workplace environment in which every employee embraces attitudes and beliefs that drive secure digital behavior. The National Institute of Standards and Technology frames it more simply: Team members embrace cybersecurity as “good business†and receive the training and tools to make sound decisions.
How can companies achieve that pivotal change in employees' values, attitudes and beliefs about cybersecurity? It starts with a mindset shift at the top.
Leadership should support employees in becoming a “human firewall†by equipping them with the knowledge and confidence to act wisely. Leaders should be transparent with their team members about digital threats and be open — within reason — about incidents if or when they occur. Just as important, executives and senior management should ensure employees feel safe raising concerns without fear of blame. Silence is often what turns a small issue such as an accidental click into a major security failure. Encouraging team members to flag potential incidents sooner can mitigate the consequences of a breach.
Contrary to popular opinion, a cybersecurity culture does not and cannot emerge from a single annual training. That is why company leadership should focus on making cybersecurity a routine part of workplace conversations. That may look like embedding timely reminders in weekly team meetings, sharing quick updates on collaborative work platforms such as Slack or encouraging informal discussions about emerging cyber threats. The goal of such discussions is not perfection but consistent awareness. When businesses treat cybersecurity as a core corporate value, employees often follow suit.
Leaders must also recognize that investing in technology alone will not foster cybersecurity resilience. Far too often, companies succumb to pressure from third-party vendors to pile on preventive tools, assuming additional purchases equate to more protection. In reality, those investments can slow systems and disrupt operations, ultimately hampering employees' ability to perform their jobs efficiently. As cybersecurity at MIT Sloan noted, companies end up putting “so many resources into ‘locking up' using technology that [they] forget about the back doors in the organization†that give cybercriminals a foothold into their systems.
Instead, businesses should work with a knowledgeable partner to pursue high-value solutions. An experienced cybersecurity professional can help companies understand their vulnerabilities and design controls within a comprehensive cybersecurity framework to identify, protect, detect, respond to and recover from threats. They can also outline processes such as multistep, verified guardrails for financial transactions to reduce the likelihood that a single mistake becomes a costly breach.
That said, companies must also view cybersecurity as a shared responsibility. A professional can provide counsel, but only a business's leadership understands the nuances of company operations and how that may affect the implementation of certain processes. Both sides must be involved in the process from start to finish to ensure the selected controls align with the company's threat landscape and ultimately embed into workflows.
Finally, businesses must stay adaptable. Cyber threats are constantly changing. Leaders must understand that a control or process that works today may be ineffective tomorrow. Entities must be willing to pivot. Fortunately, a strong foundation makes it far easier and often much cheaper to adjust when needed than to rebuild from scratch if a breach does occur.
In today's ever-evolving digital landscape, mistakes are bound to happen. As I often say, to build cyber resilience, you do not have to be the fastest person running from the bear. You just don't want to be the slowest. By taking the time to understand vulnerabilities, partnering with an expert and empowering employees to reduce risk, companies can create a cybersecurity culture that supports more informed decision-making.
Chris Wright is co-founder and partner at Sullivan Wright Technologies, an Arkansas-based firm that provides cybersecurity, information technology and security compliance services.
READ ALSO: LIT Boss: New Executive Director at Clinton National Talks Leadership, Rewards and Relationships
