Culture cannot be imposed via edicts issued by remote or indifferent executives. Culture is a way of acting, based on the informed values and priorities of an organisation’s leadership, embedded within governance processes. It is reinforced and transmitted in the course of relationships, both internally and with customers.
Without board-level focus on, and a good understanding of, cyber security issues, organisations tend to exhibit a poor cyber security ethos. According to a study published in the Harvard Business Review (HBR) earlier this year, cyber security is viewed by many company directors as a lower level risk – akin to the need to pay compensation or supply chain issues – rather than a fundamental issue potentially resulting in significant financial, reputational and other long-term damage.
The adequacy of an organisation’s processes and procedures, and its cyber security culture, appears to strongly depend on the managers’ understanding of the issue. The IT and Telecoms industries tend to have the strongest cyber security cultures – with specific processes for ensuring that security is discussed regularly, management information on cyber issues is both available and informative, and planning for cyber breaches is kept updated. In contrast, and despite frequent cyber attacks, 79% of healthcare-linked respondents to the HBR survey did not consider their organisation’s processes to be robust.
Entrenching a strong cyber security approach within the culture of an organisation will help to protect against the unnecessary loss of customers, money and opportunities. As such, while making changes to ensure compliance with the incoming General Data Protection Regulation, organisations should take the opportunity to update and upgrade their cyber approach more widely. As an initial step, senior management should consider the adequacy of any existing information security policies: are they adequate? do they address current threats? how can any gaps be filled? External assistance may be needed in order to ensure appropriate legal and technological issues are considered.
Further, a reorientation of management information to highlight cyber security issues may be needed, along with clarity regarding the reporting lines via which that information should travel. Clear metrics to test the effectiveness of any security should be introduced and testing should be carried out regularly, either internally or with third party assistance. An organisation may also want to consider working towards a recognised cyber security standard, such as the UK government’s ‘Cyber Essentials’.
Changes must then be disseminated clearly to employees, firstly via training, but primarily as part of daily interactions. It is management’s determination that cyber security measures are used on a day to day basis, and their enforcement of the organisation’s policies, that will establish the desired culture.