As businesses adapt to the pandemic and incorporate work-from-home arrangements into normal operations, cyber resilience has become more critical than ever. We often tout the benefits of cyber resilient IT systems, but it’s important to remember that cyber resilience starts with people.
Studies consistently show that employees are the weakest link in the cybersecurity chain. But changing behavior requires more than just educating users. It requires the establishment of a cybersecure culture throughout the organization, so it becomes a driving principle at the same level of high-order priorities like achieving revenue goals and delivering long-term shareholder value.
What is a cyber resilient culture?
We asked Principal Product Manager Philipp Karcher what a cyber resilient culture is and what it takes to establish one at an organization. He said a culture of cyber resilience recognizes that everyone – not just IT – has role in cyber security. Karcher defines cyber resilience as the application of the same principles of IT resiliency so that employees:
- Are prepared in advance
- Can respond quickly to, and help the business recover from, a cyber attack
- Can keep operating and serving customers no matter what
- Learn from their mistakes and get back on track effectively
Benefits to businesses
When businesses internalize this culture, they’re better prepared, better able to respond and better positioned to experience growth, Karcher says. Asking employees to devote time and effort toward security awareness is an investment in the future of the business.
On the other hand, businesses that don’t work toward a culture of cyber resilience are more vulnerable to cyberattack. Their employees are more likely to practice poor password hygiene, click on something they shouldn’t and make other mistakes, like misconfiguring access rights or accidentally sending someone the wrong file.
Cyber Resilience training and culture
While IT resilience focuses on hardening data and applications, your overall cyber resilience as an organization depends equally on making users resilient. This should include a program of training and communication on security issues employees need to be aware of and how to respond to incidents.
We believe that when you look at the results of a training program, it’s no wonder why our colleagues at Webroot™ were recognized as a Strong Performer in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2020. According to data from the Webroot Threat Research team:
- One in 10 employees (11%) clicks on phishing emails, even with annual anti-phishing training.
- We see immediate benefits to running a second anti-phishing training with a 25% reduction in phishing clickthrough rates.
- With monthly anti-phishing training the we see the number drop to one in 20 (5%) clicking on phishing simulation emails.
Webroot also partnered with leading cybersecurity education content provider, NINJIO, to deliver engaging three-to-four-minute Hollywood-style micro-learning videos that feature updated COVID-19 content and encourage cyber resilient behavior, like identifying phishing emails and malicious URLs.
Karcher adds that, in addition to regular employee training, businesses should publish regular communications on security topics in the form of emails, internal social media, posters and videos. Examples include coverage of real-world threats they need to defend against in their work and personal lives, and industry news about other businesses that were adversely affected by attacks. Cyber resilience can only become a part of culture through sustained, long term engagement – not just annual training.
Interested in implementing a culture of cyber resilience? Take the first step here.