T-Systems-Claim-Logo
Search
Colleagues working together in an office setting

Culture: The unsung hero of holistic security

If you want to nip threats in the bud, consider building a top-down culture that strengthens your security posture

2024.08.12Dheeraj Rawal

Cyber security budgets are rising to tackle growing threats

Every year newer security threats emerge on top of the existing ones, putting security professionals and CISOs into a never-ending cybercrime-fighting loop. Cybercrime is becoming more serious considering the growth of new tools, disguise methods, attack speed, and so on. By 2025, cyber attacks will cost the world about USD 10.5 trillion annually (up from USD 3 trillion over a decade ago).1

Raising the investment bar to counter threats

To level up against emerging threats, businesses are raising their IT and cyber security budgets. In 2017, cyber investments stood at USD 131 billion globally. By the end of 2024, the number will surpass USD 200 billion.2 The median spending on security by organizations is around USD 3.75 million – a significant budget to protect IT infrastructure.3 

Despite the considerable investments, the impact of threats remains large – mainly due to a lack of cyber security culture and awareness. Many studies point out that human errors are the primary causes of data breaches – about 90% of the breaches can be attributed to human errors.4 Certain errors can potentially escalate to a full-blown data breach. Some examples of errors could be clicking on a link sent by an unknown user through an email, using a weak password for too many applications or accidentally exposing data to the public.

Errors can be unintentional, but companies end up biting the bullet

That’s what happened to Microsoft when some of its employees unintentionally exposed 38 terabytes of data on the public forum, GitHub. Private data such as keys, passwords, messages, personal backups of employees, and so on was left accessible to the public. Luckily for Microsoft, it was internal data, and no customer data was involved, saving it from lawsuits and compliance penalties. After the incident was reported by Wiz Research, the company took corrective measures by fixing permissions and securing the data.5 

Several other examples show us that employee errors have led to devastating consequences (read about Equifax’s story in this blog). Security tools cannot guarantee full protection, an organization needs a security culture. Hence, this has become a boardroom topic and one of the key priorities for CISOs. 

What is cyber security culture?

Security culture is a set of values and shared beliefs followed across the organization. An example could be an organization that cultivates a strict role-based access system, where access is granted only to those who may need it, and no one else. This practice fosters good security hygiene and ensures minimum security incidents arising out of unauthorized access. Such a set of similar practices constitutes a security culture.

The core components are security policies and controls, security practices, training and awareness, security tools, compliance norms, security assessments and updates, roles and responsibilities, incident response plans, and leadership initiatives. Apart from these technical aspects, what matters is the attitude of every individual towards security. Culture should be in the organization's DNA. All these factors together create a culture that leads to a robust security posture.

Why cyber security culture is the make-or-break factor

Today’s attack surface has expanded due to cloud and digital technologies. It’s impractical to fend off attacks all the time. No matter what advanced tools are used to put up defenses, a simple phishing email (the most common vector for malware is email, and phishing is hackers’ favorite weapon) and an unaware employee are what it takes for a data breach. Cybercriminals know that humans are the weakest links, and most attacks are designed to exploit human weaknesses. 

Phishing attacks are getting smarter and faster, thanks to Gen AI. Phishing attacks have increased by more than 1,200% in 2023 alone as hackers leverage Gen AI tools.6 Also, every unsecured endpoint or network access is a potential entry gate for the attacker. Imagine an employee connecting to corporate applications through an unsecured or compromised Wi-Fi connection at a café. Such instances are a dime a dozen. 

At times, insider threats are intentional where employees steal or leak data. In 2023, Tesla employees leaked sensitive data to the media, including customer bank details, compliance details, and more.7

Errors are expensive and can break the bank

Attacks or data breaches can cause:

  • Financial losses: The average data breach cost is more than USD 4.4 million.
  • Regulatory fines: Noncompliance to regulations such as GDPR can cost millions, whereas HIPAA can cost from USD 50 to USD 50,0008 per patient record.
  • Disruption: The average time to identify and contain a breach takes about 277 days.
  • Downtime: Downtime caused by a breach can cost up to USD 88,000 per hour.
  • Loss of reputation, brand value, customer attrition, and so on.9

Therefore, employees must be made aware of various scenarios where unthoughtful behavior can lead to a security incident. Hence, most companies are investing in security awareness trainings that focus on simplifying security terms and how noncompliance can impact an organization. But it’s a top-down approach.

Culture starts at the top

Three people in a business meeting

Security is not one man’s or one team’s concern – it’s everyone’s responsibility. However, culture always starts at the top. For any culture to thrive, leaders and executives should influence teams. Leaders need to effectively communicate. They need to show empathy when needed. For instance, employees who accidentally cause security incidents need not be penalized or highlighted, instead counselled for following the appropriate norms. This behavior encourages employees to report errors. Positive reinforcement for ideal behavior does better than punishing a bad behavior. Additionally, when the leadership has a conviction in security culture, they also invest in security awareness trainings for employees. 

Launching into culture with security awareness training

Security trainings should be role-specific so that employees can know what kind of threats they can face in their roles and the impact of their actions on business. The training should focus on raising awareness rather than inciting fear. It has been observed that 39% of IT professionals are most scared of phishing attacks and 49% think their organization will soon face a phishing attack, while 20% of employees are also likely to click on phishing email links.10 Employees who think their organization will judge them harshly are unwilling to accept and report their errors. This can be a serious cultural problem. 

However, not all errors are related to immediate security breaches, but could be as casual as sending an internal email to an external person or sending a wrong attachment. These errors, if not reported, can potentially turn into an escalation, and at times can cost a customer. 

Shaping up security awareness trainings

People attending a business training

Awareness trainings could be quizzes, surveys, classroom-based, or even attack simulation. Some organizations use attack simulation to give teams a better learning experience. Best practices need to be shared and reinforced periodically so that they aren’t forgotten. Topics could be identity theft, password policies, multi-factor authentication, social engineering, public Wi-Fi, safe browsing, data backups, software updates, device security, breach recovery, compliance norms, and so on.

Security awareness also includes creating clear security policies and promoting them. For instance, there can be clear documentation on phishing awareness and response policy. This document could include how to identify and respond to phishing attempts, related terms, reporting and response procedures, simulation details, regular updates, and so on. Similarly, organizations need to also prepare a clear incident response plan that assigns individuals responsible for handling the incident. Flexible teams can help improve the response time during the crisis and lead to a faster recovery.

Furthermore, it is also advisable to empower teams by making security certifications and knowledge databases accessible. Certifications around NIST cyber security, ISO 27001, SOC2, PCI DSS, HIPAA, GDPR, NIS2, and more can be sponsored by an organization for its employees.

Quick security culture framework for businesses

Four tips to framework

It’s important to start slow and small; culture cannot be adopted or changed overnight. So, here’s what organizations can do:

  1. Focus on one or two things at a time. Make sure this behavior is reflected throughout the organization before moving on to enforcing a new norm. For instance, one may start encouraging the use of strong passwords for different applications. When this behavior is widely established, the organization may move on to the next one.
  2. Identify influencers in the organization. Setting good examples can motivate others to follow suit. Get leadership buy-in right in the beginning and encourage them to follow best practices. When leaders demonstrate a security culture, it will strengthen the objective.
  3. Communicate clearly and regularly to propagate the message within the teams. Avoid jargon and use examples to make the message easier to understand. Include the “Dos and Don’ts”, if possible. 
  4. Baseline your current security levels and create a roadmap for the desired state. Measure the levels as the plan is slowly implemented. Review and make changes accordingly. Communicate the results with the leadership and stakeholders to assure them further. Also, set tangible KPIs that are linked to business. 

Important questions that need to be answered

  • Has the number of incidents gone down? 
  • What is the total downtime avoided and money saved?
  • Are employees reporting more incidents? 
  • Has the mean time to detect and respond gone down?
  • Has the compliance level improved? Has the participation in training improved? 
  • If quizzes or tests are being run periodically, have the responses improved? 

Answers to questions as such these will help in further evaluating the success of security training programs because the management of a company will always link the effectiveness of security culture to the KPIs. 

Security culture cannot be set in stone; it needs to be reviewed and adjusted considering new best practices, changes in security tools, new threat environment, employee feedback, and so on. It needs to be flexible enough to accommodate new changes. Companies that have a clear security strategy inclusive of a culture roadmap witness improvement in resilience—by as much as 46%.11

Security culture and compliance go hand in hand

Organizations that have a security culture deeply ingrained, witness improvements in compliance levels. This shift is already taking place. About 70% of compliance and risk professionals stated that the topic is taken more seriously as compared to a few years ago.12 

Businesses realize that without a security mindset, total compliance can never be achieved. A typical organization must follow about five to six compliance standards—this becomes too much if they are short on resources. These regulations can only be met through the right security practices. Average non-compliance costs are almost 3x higher than compliance costs, which means being compliant saves the company more money.

Training is an effective way to increase security RoI

Organizations that invest in security awareness training reduce risk from 60% to 10% within a year and can witness at least 7x returns on their investments.13

[Return on security investment = (Annual cost of security incidents and breaches avoided – annual security investment) / annual security investment]

Studies have also demonstrated that employees can better identify threats after receiving security awareness training—in some cases, the awareness levels have improved threefold. Phishing simulation training reduces employee errors by 60%.14 Beyond monetary aspects, compliance also gives a competitive advantage and builds customer confidence. 

Underpinning culture with the right tools and technologies

As emphasized earlier, culture doesn’t stop at one or two things. Investing in the right security tools and resources, ensuring timely updates, patch management, checking vulnerabilities and configuration, having incident response plans, and enforcing the right data security policies, access controls, and management are all part of the culture. 

The use of the right security tools further strengthens the culture. For instance, a lot of human errors can be reduced by automation. Companies can not only avoid human errors, but also improve incident response, compliance levels, and threat detection. Security teams that handle alerts manually are often overwhelmed; on average, they receive more than 4,400 alerts a day, and above 80% can be false positives. This usually leads to burnout due to which they could miss a critical alert. There are various instances where such errors have caused full-scale data breaches. 

Automation and AI help to ingrain the security culture further

Burnout is not just common with security teams, but also with leadership. Gartner estimates that every one in four CISOs will change jobs due to extreme work pressure, which can be attributed to poor organizational culture and skill shortage.15 Both these issues can be addressed to an extent by the right tools.

Automation, when coupled with Artificial Intelligence (AI), can help security teams analyze large amounts of data, alerts, and respond to real threats. This reduces the false positives and the time taken for threat detection and response. Cost savings is another aspect as organizations that used automation and AI saved about USD 1.7 million in comparison to the ones that didn’t have such capabilities. 

It doesn’t stop at AI, other smarter security solutions such as endpoint protection, zero trust, microsegmentation can also be considered. 

Start with your security culture strategy today. Humans need not be the weakest link, after all. If you’re considering strengthening your cyber security culture and resilience, we can guide you. Talk to us today.

About the author
Dheeraj Rawal

Dheeraj Rawal

Content Marketer, T-Systems International GmbH

Show profile and articles

Relevant solutions

Need advice on building a security culture?

We can help you get started and recommend the right tools for your workforce. Talk to us today.

1 Global Cybersecurity Spending Article, 2021, Cybercrime Magazine
2 Information Security Spending, 2023, Statista
3 IT Security Budget Article, 2023, Kaspersky
4 Human Errors in Cybersecurity Breaches Article, 2022, Usecure
5 Microsoft AI Breach Article, 2023, TechCrunch
6 Gen AI in Phishing Attacks Article, 2023, CNBC
7 Real-life Insider Threats Article, 2023, Code42
8 Cost of Data Breach Article,2024, UpGuard
9 Data Breach Cost Article, 2023, Terranova Security
10 Phishing Survey Article, 2023, Security Today
11 Security Resilience Article, 2022, Cisco
12 Risk Compliance Report, 2023, Thomson Reuters
13 Security Awareness Training Effectiveness Article, 2022, Usecure
14 Phishing Training Article, 2024, CyberPilot
15 Cybersecurity Leader Prediction Press Release, 2023, Gartner

Do you visit t-systems.com outside of India? Visit the local website for more information and offers for your country.