The 5 obstacles to safety culture and how to avoid them

Experts predict that global companies will spend a lot $172 billion on cybersecurity this year (up from $150 billion in 2021). Despite such high investments in cybersecurity systems, cyberattacks continue break new records. This is because most attacks have more to do with bugs in human behaviour and not the safety technology itself.

Human behavior cannot be predicted, programmed, or controlled by technological defenses. Therefore, security culture is becoming an increasingly important defense strategy. Security culture can be defined as a combination of beliefs (an internal feeling about cybersecurity, usually stemming from own experiences and external influences), values ​​(what employees think is important from a security perspective), attitudes (how employees perceive and approach security situations). lead to a behavior), behaviors (actions employees can take when encountering a potential cyber threat), and social pressures (the shared expectations and modeled behaviors that encompass a group’s unwritten rules) that translate into the daily actions of the reflect employees.

Shaping human behavior is a complex process, and maintaining a robust safety culture over the long term can be difficult for even the most safety-conscious organizations. Some of the barriers organizations face when building a safety culture include:

  1. mental prejudices
    Our minds are often clouded by distractions, emotions, and habits, which can lead to impulsive judgments and risky behavior. The day-to-day actions of employees are the result of habits, past experiences, the influence of peers and preconceived notions. Such Prejudices Safety implications in many ways; They can create blind spots and lead to miscommunication or misinterpretation of a well-designed security program.
  2. Poorly designed or implemented security policies
    Information security policies and procedures are one of the most fundamental tools organizations use to influence cybersecurity culture. When policies and procedures are not well designed or implemented, or not properly communicated, they can be one of the most ineffective tools from a cultural perspective. If employees don’t follow policies or circumvent them, chances are they are improperly designed or are preventing them from doing their jobs effectively. It’s a natural reaction. When a worker encounters an obstacle, he finds ways to avoid it. As such, the “change passwords every six weeks” directive can all too easily be ignored and forgotten.
  3. Failure to lead by example
    It is impossible for organizations to be successful in cultural change without leaders speaking out and promoting the importance of positive safety behaviors. Everyone knows that culture is contagious and that actions taken by leaders can have a huge impact on people. When executives appear to be ignoring security protocols or avoid attending cybersecurity training courses, they are setting a bad example in front of employees. Ultimately, employees get worse, not better.
  4. Lack of a continuous improvement model
    Technology is constantly evolving and hackers are evolving along with it. The type of attacks a company faces today will most likely not be the same as tomorrow. In the absence of a continuous improvement model, sporadic or episodic training initiatives will not have a significant impact on the culture. Subsequently, the organization and its employees become vulnerable and exposed to a range of threats for which they are unprepared.
  5. Programs that work against human nature
    Safety culture is not a one-size-fits-all. Every organization is unique from a security perspective and every employee has a different level of security maturity. Humans are by nature social creatures of habit. Safety programs that fail to address this reality often fail because organizations expect too much of their employees or go against their basic human nature.
  6. How can organizations avoid these cultural barriers?
    The first step companies should take is to invest their time and effort in identifying and understanding cultural challenges using a data-driven approach. Start by creating a baseline assessment of the attitudes, beliefs, prejudices, behaviors, and social norms that exist in the organization and create a strategy to track and improve on these metrics over time. Ensure your information security policy is a “living document” that is updated as employee needs and the technology landscape change. Get leadership teams to recognize and practice safety culture as a core pillar of the organization’s foundation, rather than labeling it as a risk mitigation initiative. Training programs and phishing simulation exercises must always include real-world examples, be engaging (even playful), engaging, and test employees on the latest threats. An overarching cybersecurity board from different departments should ensure that security programs are regularly updated and work in favor of employees, not against them.

Remember, safety culture cannot be built overnight. However, sustained investment in security culture will lead to better security ROI over the long term and help organizations build a human defense layer that every industry today desperately needs.

Written by Perry Carpenter.
Did you read?
Management of cyber security in the workplace.
Positive Impact Through Philanthropy by Ron Book.
The COO as the new CEO Revenue Partner of Brent Keltner.
Out of the destruction of the pandemic will emerge healthier businesses that will thrive long term by Steve Schwartz.
Evvy explains its new Equal Research Day initiative.
The Joy of Achievement and the Thrill of Creative Effort: The Exclusive Interview with Evgeniya Kuzmina.

Follow the latest news live on CEOWORLD magazine and get news updates from across the United States and around the world. The views expressed are those of the author and not necessarily those of CEOWORLD magazine.

Follow CEOWORLD magazine headlines on Google News, Twitter, and Facebook. For media inquiries please contact: [email protected]

Leave a Comment