The benefits of building a security culture within your business

By Nik Williams, MD of information management company Shredall SDS Group

Not a day seems to go by without news of another high-profile data security breach. They never make for a good read, but they do highlight to businesses the importance of reviewing, maintaining and improving their own infrastructure.

GDPR has made the stakes even higher as there are now larger financial penalties to consider; smaller offences can result in a fine of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). More serious offences can lead to fines that are double this – much larger than the maximum £500,000 penalty the Information Commissioner’s Office (ICO) could previously issue. What’s more, data breaches can be highly detrimental to a company’s reputation and can result in a loss of custom, and ultimately revenue.

With hacker attacks rife, it would be naive for start-ups and small businesses to think that they’ll go unnoticed, with cybercriminals preferring to target bigger, household name brands. The opposite is true – smaller, inexperienced companies often make easier targets because they neglect to allocate enough resources (i.e. budget and training) to offline and online security practices.

Further to this, it’s no longer enough for CEOs, managing directors and senior managers to ‘hold the fort’ and protect their business’ security. Everyone needs to take responsibility for their firm’s data and to be vigilant to suspicious activity, highlighting the importance of creating a company-wide security culture. Here are a few ways you can achieve this:

1. Take a top-down approach 

Though we said it’s everyone’s responsibility, people can only be expected to lead by example. If their manager isn’t seen to be taking a proactive approach to data security, then why should they?

While there will be someone (or a select group of people) in charge of creating a security culture document or handbook, it must be communicated to everyone across the business in order for it to be effective, perhaps through a dedicated training session. It would be even better if CEOs, managing directors or senior managers can relay what they’ve personally done to improve their own security, even if it’s something as simple as using a password manager such as LastPass.

It’s likely that when implementing a security culture, you’ll make some changes to your business processes. Big changes should be clearly communicated too, for example, if you now require all members of staff to adhere to a clean desk policy.

2. Stress the importance of security 

Similar to the above, you can’t expect people to get on board with building and maintaining a company-wide security culture if they don’t understand why one is needed in the first place!

Make staff aware of the rise in hacker attacks and the different methods that cybercriminals employ to get their hands on sensitive information. Give them some real-life examples of security breaches too and explain what could happen if your business suffered a similar incident (i.e. fines and reputational damage). Rather than scaremongering, it should help people to feel like they have an important role to play in protecting their company’s data.

3. Make training integral 

Once you’ve got a security culture document or handbook in place and explained why you’ve introduced the change, it’s time to tell employees how they can help. In-house or eLearning training sessions/courses are a great way to cover different aspects of online and offline security, but they need not be boring! Try and make training as interactive as possible by inviting industry experts in for a Q&A session, or organising a game of security trivia.

Always make training material readily accessible to staff through your company’s intranet; this will serve as useful information to any new employees, or as a refresher. Laws are changing all the time, and new ones introduced, so it’s paramount someone is also in charge of reviewing and renewing the training documents on a regular basis, and then letting staff know the material has been updated.

4. Recognise great security behaviour 

We recognise and praise good work, so why shouldn’t we recognise good security behaviour too? Ask employees to flag any suspicious emails or activity, no matter how obvious, and thank them when they do so – it’ll go a long way. You could even highlight the example through an all-staff email, or in your company newsletter, to encourage further vigilance and engagement.