The Makings of Cybersecurity Culture

Organizations that have a strong cybersecurity posture are not only leveraging technology but also investing heavily in changing behavior — moving away from fear-based tactics to those of healthy paranoia, where communication and repetition work in favor of building cybersecurity habits. 

Our fireside chat for this month aims to discuss some of the biggest challenges SMBs are facing when building a cybersecurity culture, and the areas of success when seeking to change employee behavior. We invited Patrick Hunter, partner development manager at Hook Security, a cybersecurity training and awareness company, to discuss these topics, and here is what he told us:

 

Episode 6

 

Derek: From your perspective, how would you define cybersecurity culture? 

 

Patrick: I would define cybersecurity culture as one of everybody within an organization valuing the assets of the organization. Ultimately what employees value is what they see management values, so everything from physical, tangible assets, to headcount, to data. If an employee sees that, their management is conscious towards safekeeping the data, they'll tend to do that as well. Now another aspect of that I think is related to the attitude around protecting those sorts of assets. I think it's one that could have a very positive impact on a company and an organization, and that's something that we try to do, creating a positive culture. So I think we can have that sort of mentality wrapped around things like cybersecurity awareness and do it in a way that enables employees to feel good about themselves and what they're trying to do. 

 

Derek: Absolutely. So when, when you talk about this culture of cybersecurity with SMBs, what are some of the the challenges you face in sort of creating a healthy paranoia amongst them? What are some of the objections you tend to hear from them?

 

Patrick: You bring up a very good point, which is creating a healthy paranoia. At Hook Security as a company, we're not trying to instill an environment of fear, but rather help people create an instinct, a healthy paranoia, around the emails that they're getting, making sure that everything looks legit and they're not afraid of the technology that's in front of them. With that in mind, thinking about some of the challenges in the SMB market is a mindset of "we're too small; why would anybody focus on us?" And today it's not necessarily about stealing your intellectual capital anymore, it's really more about disrupting your business and the cybercriminals looking to hold your company hostage. 

You need to use email to communicate with people and you need to be able to trust the legitimacy of the emails you receive. Additionally, from a challenge perspective I think there's a lot of SMBs that have a lack of resources or IT staff in general, and is a good opportunity for MSPs to provide some real value. Probably another challenge I see is that oftentimes in smaller companies people are wearing many different hats, so day to day life within the company becomes very busy and it can be somewhat easier to be careless or miss something by not paying attention just due to the workload.

 

Derek: So you talked on a couple of things, maybe SMBs don’t have the IT or the security team internally and also the belief that “we are too small, I’m not a big enough target for these criminals”, so there’s a lot of obstacles for an SMB to even get to the topic of a cybersecurity culture. I brought you in not by accident, because I think what Hook Security and companies like Knowbe4 are trying to do is not focusing on scare tactics, your focusing on changing behavior and pattern recognition, and habits. Can you just talk a little bit about why this approach is so significant in creating a cybersecurity culture?

 

Patrick: Absolutely. I think it's pretty easy to say you can go out and do a quick Google search and find a myriad of spelled doom and gloom relative to cybersecurity, and it creates an element of fear. At Hook Security we’re looking to create an environment that has a positive culture around cybersecurity awareness creating a healthy paranoia. In an environment of fear people are afraid to do their daily work, they’re concerned about messing up or getting the company in trouble. So rather than looking to try to slap the hands of employees we try to help educate, create awareness, and help companies and employees see and recognize threats associated with phishing emails through very short, 60 to 92 second, training videos that occur at the point of infraction, and that are infused with one or two takeaways along with a humorous or dramatic messaging.  

We realized that's a better way for employees to learn and absorb information rather than requiring them to take some sort of phishing testing, whether exercises or tests with 30 to 45 minute webinar and then answer 20 question multiple choice tests. 

 

Derek: Exactly. You were just getting to explain what Hook does. But just to get more detail what does Hook do? I want to make sure our listeners are fully grasping the extent.

 

Patrick: Absolutely. So Hook Security is a phishing testing and cybersecurity awareness training company. Through our solutions, we train employees to help them prevent compromising themselves and their company, from emails with malware, ransomware, or other potential security breaches. So we send fake phishing testing emails on a monthly basis. That are designed to look like real phishing attacks, with the idea that when an employee clicks on a link within an email, they would be immediately redirected to these 60 to 92-second videos to receive security awareness training right there at the point of infraction. We're not taking them away from work, not even taking them away from their desk. And then, monthly, we provide reporting information back to management that could be high level down to very detailed information.  

 

Derek: I love how you guys approach security in terms of training that's ongoing for folks to create habits. So to recap, it's a monthly phishing simulation email that gets sent to anyone in the company, that is meant to look like regular emails. If someone carelessly opens and clicks on it, there's a video for them to walk through, get one or two takeaways, all with good humor. But the main point is actually that cybersecurity culture is critical to SMBs to take the front steering and find someone or some way to get continuous and ongoing training so that folks can have a healthy paranoia. Anything else you want to add? 

 

Patrick: Yeah, so I think you hit on a couple of interesting things right there. One is, we recommend that you provide training for every employee every month on an ongoing basis, for a couple of reasons. One, the employee base does churn over time, employees come and go, and two, the threat vector is ever-evolving. Our platform is built in such a way that we can change our method of delivery if we need to. The other piece within that, which ties back to the culture and behavior, is that we're trying to help employees create good, strong behaviors. Seeing and recognizing threats, and repeat that overtime to create cybersecurity awareness habits that they can take with them — not only this job but the next job and even at home. 

 

Derek: Right, if you want to create a culture create habit in your people, enable them to develop the best behaviors, and the best part is that you can measure it. There are metrics month over month, you can see the improvements. Patrick, thank you so much for your time and we’ll have you on again at some point in the future. 

 

Key Takeaways for SMBs

  • Don't assume you're too small to attract cybercriminals! Think about how many days your business can afford downtime? Or how much it would cost to lose the trust of your partners/clients in your ability to protect their information?

  • The goal of a healthy cybersecurity culture is not centered on fear but on nurturing a healthy dose of paranoia. 

  • Repetition is critical to changing behavior and building new habits; make sure your cybersecurity training program is repetitive and easy to digest. 

  • If you don't have the time or skills to handle your cybersecurity, there are trusted MSPs like NSI who specialize in this area.

About The Author

Client Success Manager for NSI