Cybersecurity Awareness Month is now in its 18th year. Hosted by the CISA and National Cybersecurity Alliance (NCSA), the event’s goal is to raise awareness about the importance of cybersecurity and to ensure all Americans have the resources they need to keep their data secure.
This year, Devo is one of the 2021 champion organizations for Cybersecurity Awareness Month. Since we make cybersecurity awareness a priority all year round, we thought we’d share our approach to raising security awareness so your team can take similar measures to establish a strong security culture at your organization. Let’s get into it!
How Devo is Celebrating Cybersecurity Awareness Month
Our CISO team has developed a month-long series of events and learning opportunities for all Devo employees. All our plans align with themes that CISA and NCSA have established for the event. They are:
- Week one: Be Cyber Smart
- Week two: Fight the Phish!
- Week three: Explore. Experience. Share. — Cybersecurity Career Awareness Week
- Week four: Cybersecurity First
Over the four weeks, our CISO team is sharing information and resources on application security, adhering to the latest security updates, following email best practices to avoid phishing scams, and tips for how employees can keep their families safe online, as well.
However, we’re not just lecturing our staff on the many diverse ways their data could be compromised. We also sprinkled in a little bit of fun by launching a competition where all our employees can submit their design ideas to establish a new mascot for the Devo CISO team. While security is a serious topic, the information is more likely to stick if you’re having some fun along the way.
How Your Security Team Can Establish a Strong Security Culture
While Cybersecurity Awareness Month is a good time to share resources, there are a lot of steps your security team can take throughout the year to make sure cyber hygiene is always top of mind. Here are the top four tips I recommend teams take:
1. Continuously scrutinize security training: Whether you’re just starting at a new company or have been there for a long time, it’s important to continuously review and analyze the security training available to employees. The cyber world changes quickly, so security recommendations must evolve just as fast.
If you’re beginning a new job, thoroughly review all security-related documentation. You can tell a lot about an organization’s cybersecurity maturity by how much cyber training new employees receive during the onboarding process, too. Looking back at the volume and severity of an organization’s security incidents — via security analytics platforms such as Devo — also can provide insights into the maturity and readiness of the company’s cybersecurity policies and procedures.
2. Avoid blame culture: At many organizations, employees are often too scared or worried they’ll lose their job if they make a security mistake, so they won’t report it. For obvious reasons, this can be detrimental. While establishing accountability is important, employees should feel comfortable coming to the security team if they suspect a security-related issue.
To avoid this, companies should develop an acceptable use policy to ensure everyone understands their cybersecurity responsibilities. It’s also important to show employees that security is a top-down priority. Proactively engaging the executive team in cybersecurity awareness can help set the tone and reinforce security values. For example, if you’re rolling out new security software that employees must download onto their computers, be transparent about the metrics and tracking, and share those insights with executive leaders so they can help guide their teams to take the necessary actions.
3. Fight shadow IT: Shadow IT is prevalent among many organizations, and it causes a massive security issue because security teams simply cannot protect what they can’t see. Employees often work around processes to obtain tools because they didn’t realize how long the proper approvals would take. By making sure the policies and procedures for purchasing third-party tools are clear, concise, and signed off on by employees, you can start to combat rogue purchases. Further, finance shouldn’t approve or reimburse any expenses for tools and software unless the IT and security department has blessed it first.
4. Communicate concisely about critical security actions: Look, we’re all inundated with messages, emails, texts and calls all day long. No one has the time to read a novel-length message — even if it is about a critical security update they need to make. If your company uses collaboration platforms such as Slack or Microsoft Teams, short, concise messages via these platforms can be a great way to catch employee attention. Using emojis and colored fonts can catch their eyes, too.
While these are just a few policies and procedures your security team can implement to start building a strong cybersecurity culture, it’s critical to make training and educating staff on security best practices a year-round effort. Cybersecurity Awareness Month is a great time to get started, but don’t let it be the only time of year you communicate with employees about pressing security matters!