Companies are better protected when employees are on the ball and able to successfully thwart a cyberattack. But how do companies establish such a security culture? Two security awareness experts give their advice.
Text: Andreas Heer, Pictures: Swisscom
26 September 2023, updated on 24 July 2024
People are vulnerable to persuasion. And under pressure and stress, we can all make mistakes or become careless. Cybercriminals use social engineering to exploit this. Phishing campaigns or CEO fraud see repeated success because someone will always fall victim to criminal activity.
Unsurprisingly, according to the SANS 2023 Security Awareness Report, social engineering is the biggest human risk factor in a company’s cyberdefence. But this situation can be changed or reversed. With a security culture, employees become the first line of defence in the cybersecurity chain.
With a security culture and employee awareness raising measures, companies can successfully change the behaviour of employees when dealing with data, information and IT systems and enable them to identify and respond appropriately to cyberattack. They can thus complement their technical and organisational security measures with the human factor.
“Ensuring security awareness is the first prevention measure,” says Marcus Beyer, Head of Security Awareness at Swisscom. “It’s about making employees aware of the importance of security, both physical and online, and embedding security-conscious behaviour into the daily routine.”
This task includes a wide range of communicative and learning activities. The aim of this security awareness training is to change the behaviour of employees – security awareness should always be an integral part of day-to-day work, wherever possible. It is clear that this task cannot be confined to one-off or occasional actions, as Marcus Beyer explains: “It takes time, resources and a certain degree of courage to build a security culture, but most important of all is patience.”
Monika Geitlinger also views security awareness as an ongoing process. It is an important part of her role as Information Security Officer at Raiffeisen Switzerland: “We are constantly reviewing whether we need to incorporate new areas of training or new approaches to ensure the continued support of our employees and prepare them as well as possible.”
Companies have data handling rules for legal and compliance reasons. According to Marcus Beyer, security awareness supports compliance with these organisational cybersecurity measures: “If employees are made aware of the security risks, they are more likely to follow instructions and rules, because they understand why we need the rules and why they exist.”
A security culture thus supports damage control; that is, preventing successful cyberattacks and data theft. “The management also understand this. Even if a security culture prevents just one major incident, the investment has already paid off,” Beyer adds, referring not only to the financial damage avoided, but also the much more detrimental reputational damage and loss of trust.
The benefits of a security culture go beyond pure damage control, however, as Monika Geitlinger explains: “Naturally, an important objective is to adequately protect our bank and thus also the data of our customers. However, we make every effort to achieve a holistic understanding of the topic. After all, cybercrime can also impact our private lives. In our training courses, we therefore repeatedly highlight not only the entrepreneurial risks but also the action employees can take to minimise risks in their personal lives.”
Clearly, employees who understand the purpose of security measures and exhibit security-conscious behaviour will do so everywhere. Security awareness is thus also a personal development opportunity for employees. After all, security awareness doesn’t stop at the office door.