Talking to businesspeople about risk management is a vital part of what we do in the cybersecurity industry but while people in management roles have no difficulty seeing the financial hazards that cybercrime presents, the technicalities are often a sticking point.
A well educated team is one of the most powerful security assets a company can have. In communicating the benefits of strong cybersecurity policy, we have to also advocate for security education. A company can equip themselves with a suite of excellent security tools but they won’t be fully effective if the team members - from the boardroom to the shopfront - don’t understand their responsibility as individuals to support the company’s security culture.
Misconceptions vs realities
The popular perception of cybercrime is that it’s a frontal assault by hackers, firing off strings of code to break into computer systems, but the reality is that most data breaches are caused by stealth attacks. Cybercriminals put out bait, in the form of email, and wait for someone inside a company to click on it. One person opening an infected attachment or logging into a phishing page is usually all they need to get access. Hackers know that most people don’t really understand how harmful a malicious email can be so it’s a simple and very effective way to infiltrate a company’s network or steal sensitive data and credentials.
People can be the weakest link
In this online era, almost everything people do at work connects them to the web and therefore makes them vulnerable to cyber-attacks.
One aspect of cybersecurity policy that companies often neglect is education and that’s a critical flaw because unless team members understand how cybersecurity works, they will unwittingly create vulnerabilities in the system.
Once a company has audited their systems and implemented policies to maximise security, the next vital step is to educate the people who work in the company so that they will become part of the security solution rather than undermining it.
Cybersecurity in plain English
Companies managing their cybersecurity policy need to consider a wide variety of different players including:
- Senior management and executives
- IT staff
- The wider team(s), and
- External partners such as suppliers and contractors.
Creating a strong cybersecurity culture in an organisation requires effective communication not only between the IT team and management but also between management and the broader company.
It’s vital for management to take ownership of cybersecurity policy. Because successful data security requires a whole-of-business approach, the impetus needs to come from the CEO and senior management suite.
In its full scope, cybersecurity can be a complicated, jargon-heavy subject so for most team members plain-English communication will play an important role.
For managers establishing a cybersecurity plan for their organisation, it’s worth bearing in mind that effective communication about cybersecurity can be a learning curve for IT people as well as non-tech team members.
When management are working with the company’s IT specialists to design security policies, there will be an unavoidable level of complexity involved. But when it comes to sharing the company’s security objectives with the wider team, the messaging needs to be in language non-tech people can access and understand.
Most people in an organisation don’t need to have an expert-level understanding of cybersecurity, but they do need to understand the basic mechanisms and potential consequences.
A good first step toward building better cybersecurity awareness in an organisation is establishing a common lexicon. The jargon around cybersecurity can be confusing and alienating so giving people a shared vocabulary should be a top priority.
A company’s management can work with the IT team to establish a shared vocabulary of functional terms that will deal with the main issues the business faces. The non-tech people in the company need to be as comfortable with the terminology as the IT specialists so the lexicon should focus on simplicity. A shared vocabulary is only useful if it simplifies communication so it should be intuitive and clearly defined.
The goal of cybersecurity education in a business setting is to give team members a functional understanding of how to avoid potential threats.
Cybercriminals target companies through vectors like email because humans are usually soft targets. Effective cybersecurity education seeks to close the gap by giving people the knowledge they need to recognise threats.
The responsibility for cybersecurity can’t be left to IT departments to handle alone. For security policies to be successful they need to be implemented across whole organisations, starting with senior management.
By educating their team on how cybersecurity works a company significantly improves their frontline resilience.Every person in a company doesn’t have to be an IT expert, but everyone should have a basic understanding of the cyber-threats like malicious email that they are likely to encounter on a daily basis.
Guidance for non-tech people
If you're looking for an accessible cybersecurity guidebook to share with your clients, please download Surviving the Rise of Cybercrime by MailGuard CEO Craig McDonald. This plain-English book explains the most common threats and provides essential guidance for managing risk. It’s a great starting point for a company seeking to build a stronger cybersecurity culture. Download Surviving the Rise of Cybercrime for free, here.