Culture is often the chief contributing factor to whether your organisation is protected from the growing risk of cyberattack. A strong cybersecurity culture can help overcome the weakest link in cybersecurity, which is people.
During 2020, Australian individuals and businesses lost more than $132 million to various types of cyberattacks, with email delivery accounting for 23 per cent of those attacks. If your business hasn’t fallen victim to a costly cyberattack yet, it could just be a matter of time depending on whether you have a strong cybersecurity culture in place.
Culture is often the chief contributing factor to whether your organisation is protected from the growing risk of cyberattack. A strong cybersecurity culture can help overcome the weakest link in cybersecurity, which is people. Human error, such as falling for scams or phishing attacks, or failing to use multifactor authentication or strong passwords, can open significant security gaps in your business. People often don’t realise the crucial role they play in protecting the organisation, so it’s essential to ensure they’re aware of how they can help keep your business stay safe and to provide them with the right tools.
Culture develops organically, making it difficult to change
Organisational culture can be tricky to develop and hard to define. In many cases, culture exists without staff members even being aware of why or how those cultural expectations ever came about. In most organisations, culture develops organically as a result of personalities within the business, which means leaders don’t need to invest a lot of time or effort thinking about it.
Deliberately and proactively changing organisational culture can be a daunting task. However, for organisations that need to improve their cybersecurity posture, creating a strong cybersecurity culture is paramount. Therefore, it’s essential to understand how culture works, and how to change it.
Cultural change is one of the most difficult leadership challenges because of all the different, interlocking elements that underpin organisational culture. This can include goals, priorities, values, individual drivers, historical practices, attitudes, and communications. Changing just one or even a handful of these elements won’t alter the culture in any meaningful way.
Five factors of meaningful culture change
In our experience, there are five factors organisations need to consider when trying to change their existing culture:
1. Focus on positive reinforcement
Changing organisational culture effectively relies on team members understanding what’s in it for them and how they’re contributing to business success. It’s important not to use fear or assign blame, as this can create resentment and opposition to the change. Heavy-handed enforcement or punishment for getting cybersecurity wrong will only cause team members to hide their mistakes and, potentially, open the business to more risk. Some may even become resentful enough to want to wilfully damage the organisation, so it’s essential to keep the culture change positive. It’s best to frame the change as an organisational challenge that everyone can contribute to solving. This helps people take ownership and will make it more likely that they’ll own up to any mistakes they may make, since they won’t be afraid of the repercussions.
2. Align cultural change with organisational goals
Cultural change for its own sake rarely achieves traction. People need to understand how changing their behaviour will help the business and why they should care. Showing them how their actions can help the business achieve its goals makes organisational change easier to internalise.
3. Communicate clearly, consistently and frequently
Culture develops over time and can’t be changed overnight. Therefore, it’s important to communicate with the team so they understand the reason for the change and what’s required from them. However, a single email from managers or even one all-staff meeting isn’t going to move the needle. To change culture, it’s essential to communicate clearly, consistently, and frequently. Desired behaviours must be reinforced with incentives, recognition, and rewards, while undesirable behaviours should be identified and discouraged.
4. Show people what success looks like
As the culture is still being developed, people will require clear examples to follow, starting with strong behaviour modelling from the top. This will turn abstract concepts into concrete ideas, making it easier for employees to emulate the desired behaviours.
5. Create a safe space for feedback
It’s unlikely that employees will automatically internalise the new culture or that the change will go smoothly. It’s far more likely that the new culture will emerge through trial and error. The process will be effective, and the results will be more entrenched, if managers make it safe for staff members to give and receive feedback. This includes clarifying that no employee will face repercussions for pointing out areas for improvement. Employees will always provide valuable input when they feel ownership of a process. This also helps the whole team, including management, improve together to achieve the desired change.