For years, “people” have often been labeled as the barrier to cybersecurity. However, this generalization is an unfair statement. Whenever the concept of cybersecurity in the workplace comes up, many employees will think that cybersecurity is a technology issue and not something they should worry about. Another assumption is that the IT team will solve the problem. This assumption leads to potentially unsafe behavior and must be addressed to keep the entire organization secure, reduce the risk footprint and protect sensitive data. It is well documented that data is considered the lifeblood of a business. However, as the consumption of sensitive data increases, this increase is accompanied by the number of cyber attacks and breaches we see.
Lead security awareness champion at KnowBe4.
The current state of cybersecurity
Statistics show that the number of data breaches reached almost 3,000, with more than 8 billion record breaches by 2023. This resulted in the global average cost of a data breach reaching an all-time high of $4.45 million. However, global end-user spending on security and risk management is expected to total $215 billion by 2024, up 14.3% from last year.
Additionally, the 2024 Verizon Data Breach Report revealed that 68% of breaches, whether involving a third party or not, involve a non-malicious human element, which refers to an individual making a mistake or failing falls prey to a social engineering attack. This statistic is quite telling because it reinforces the fact that even if you have the best security technology on the market, there are no guarantees that an incident won’t still occur if humans are involved. For this reason, efforts should be made to focus on improving the human aspect of security to promote safe behavior among employees.
Safety culture and its core elements
One of the most important strategies for promoting safe practices within organizations is to purposefully foster a strong safety culture. This includes the collective beliefs, practices, and interpersonal dynamics that shape security protocols. Achieving a robust safety culture depends on employees internalizing their roles and obligations to protect not only their professional domains, but also their domains. Prioritizing strengthening safety culture increases an organization’s preparedness, allowing individuals to instinctively serve as a proactive defense mechanism.
To understand which elements influence safety culture, means knowing its seven core dimensions:
1. Attitude: This refers to employees’ feelings and beliefs regarding security protocols and concerns.
2. Behavior: it relates to the actions and activities of employees that directly or indirectly influence the safety of the organization.
3. Cognition: This concerns the understanding, knowledge and awareness of safety issues among employees.
4. Communication: It indicates the quality of the communication channels used to discuss safety events, promote a sense of belonging and provide support for safety-related matters and incident reporting.
5. Compliance: This dimension assesses employees’ familiarity with the written security policy and the extent to which they adhere to it.
6. Standards: It relates to awareness and compliance with unwritten rules of conduct within the organization.
7. Responsibility: This dimension measures how employees perceive their role in maintaining or endangering the organization’s security.
Safety culture in Europe
Organizations that prioritize establishing and maintaining a safety culture will especially encourage increased safety awareness among their employees. Exploring this further, research has shown that organizations in Europe have a good understanding of safety culture as both a process and a strategic measure. However, many have yet to take their first tactical steps to achieve that goal. Those who have done this realize that shaping safety behavior is essential to developing a safety culture. These organizations recognize that in a proactive security culture, employees have the inherent understanding that security behaviors extend beyond participation in phishing simulations; the employees are intrinsically motivated to contribute to the security posture of their respective organizations.
Digging deeper, smaller European organizations score higher in safety culture due to more effective personal communication, stronger community ties and better support for safety issues. This naturally leads to improved cognition and compliance, with improvements in communication channels seen as a key driver for better security policy understanding and proactive security behavior that outperforms global averages. By investigating which sectors within Europe showed the best security culture, the research is sure to gain popularity among security experts within sectors such as finance, banking and IT, all of which are heavily digitalised. Security awareness is no longer seen as an exercise in checking the box to meet compliance requirements. It is increasingly seen as a strategic initiative to promote a safety mindset in the organization.
Impact of EU regulations
If you take into account that there are 44 sovereign countries with a total of 746 million inhabitants, that is a large number of potential victims that hackers can target with social engineering. That is why everyone must be part of the defense, especially as EU legislation and regulations place increasing demands on companies.
First, the GDPR had a global impact in prioritizing individual interests in data processing. Now sector-specific regulations, such as the Network and Information Security Directive (NIS2), enforce strict cybersecurity standards and hold boards accountable for organizational cybersecurity and supply chain security. Subsequently, the Digital Operational Resilience Act (DORA), which will come into effect from January 2025 and targets financial institutions, requires rapid recovery from cyber attacks and training of employees. Furthermore, the EU AI law, due to come into force in 2025, categorizes AI risk and imposes significant fines for non-compliance.
Successful cybersecurity management requires unified strategies, standardized processes, clear accountability and adequate resources, making compliance not just a formality, but a robust security framework.
Get the safety culture in order
To get the safety culture in order within your organization, focus on two or three high-risk behaviors for change. There are free safety culture surveys that can help you determine the current position on this as a starting point. It is critical that the organization’s goals, strategies and objectives are aligned with this mission and therefore develop a plan to influence behavior using both formal mechanisms and informal leadership models. Provide clear communications tailored to diverse preferences and secure executive approval to strengthen support. Execute the plan with defined goals and timelines, and maintain open channels of communication. Evaluate progress through subsequent surveys and share findings with leadership. Solicit input from stakeholders to continually refine strategies. Stay proactive against evolving cyber threats and remain flexible to adapt to respond to business objectives accordingly.
Finally, begin the journey to building a strong safety culture with a positive attitude and confidence, because taking these steps will pave the way for a long-term change in your workforce’s safety awareness and preparedness.
We have offered the best protection against identity theft.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro