How to establish an IT security culture in your company

Anyone who thought the topic of IT security was primarily of importance to large, international corporations is mistaken: A recent study shows the increasing risk of cyberattacks even in small to medium-sized companies: 80 percent of the companies surveyed were affected by an attack on their IT systems last year. Overall, these attacks increased sharply, especially those that entered the system via e-mail.

Lack of IT security culture

With many different workplace tools now in use in most companies, it is becoming increasingly difficult for employees to identify and correctly assess security risks. Strict security policies only help to a limited extent: generally, companies try to keep workflows as simple as possible - if they are complicated by security hurdles or controls, employees are more likely to try to circumvent them. To ensure that the company's safety strategy does not fail, employees must develop an awareness of safety in the workplace.

Here is the checklist for an IT security culture in the company

1. IT security starts at the top. If IT security is a top priority and respected by management, employees will also take the issue more seriously and be more likely to question their own user behavior. This connection is pointed out by a Security breach investigation in British companies. Managers need to set a good example in safety with their own behavior to provide guidance to employees and make them aware of potential safety risks.
2. Safety is the responsibility of all employees. The topic of security is not just the concern of a few, but affects the entire company. That's why every team member should be introduced to the topic. Sit down with each employee to raise awareness about the role of IT security in their day-to-day work. It's important to educate about the risks that the many different tools, content and your own user behavior can pose. Habits that have crept in over time and are problematic for the security of the company can thus be identified and changed.
3. Context is the key. Safety does not seem to be directly relevant to all employees. Nevertheless, it is important to involve all departments - this is the only way to create a safety culture for the entire company. In order to make employees from different teams aware of the specific situations in which the topic of safety is relevant, practical examples from their everyday work can be helpful.
4. Choose Head-Ofs. The IT team cannot assume responsibility for a company's entire security strategy. Therefore, employees from the various departments should be designated to act as a link between IT and the respective teams. They are closer to the day-to-day decisions and have a more detailed understanding of the workflows, or are directly responsible. Specially appointed security officers in each team can better support decision-making on the ground.
5. Safety training is a continuous learning process. Holding a one-hour training session for employees once a year is often enough to meet compliance requirements - but this is not the way to build a sustainable safety culture. In order to anchor a new understanding and awareness of safety among employees, it is important to also address the topic in regular meetings in the long term. Here, you can also think about incorporating playful elements and organizing a quiz in between, for example.

Conclusion: No technology can replace a safety culture in the company

Even though developers are constantly providing new security measures for business applications and tools, even these cannot prevent an increased risk due to incorrect user behavior. Therefore, it is central to create an awareness of IT security in the company that encompasses all departments from management to employees. Only when everyone pulls together can an IT security culture emerge that protects the entire company from cyber attacks.

About the Author:
Morten Brøgger is the CEO of Wire. Wire is a secure communication and collaboration platform. Business chats, conference calls, and file sharing - all content is protected by end-to-end encryption.