Building a Cybersecurity Culture in Nigeria

In the pursuit of holistic protection to information critical to day-to-day running of businesses, most organizations in Nigeria are now pushing for cybersecurity training for the employees, this is a good move to meeting their goal. But the success of the training now greatly depends on the organization. It will be difficult for many of the employees to practice what they have learned during training if their organization did not have a cybersecurity culture, and it will also be difficult for the organization to measure the impact of the training and the improvement it has made on how employees threat cyber safety.

To keep the balance of the above concerns, the organization must be ready to build a cybersecurity culture.  Before we can go into building one, we must first know what a cybersecurity culture is and what defining features make them sustainable.

What is Cybersecurity Culture?

A cybersecurity culture in the workplace amounts to the promotion of safe cybersecurity practices that integrate seamlessly with people’s work. It is making employees aware of cybersecurity threats and making them amend their behaviour accordingly to mitigate potential threats.

What Defining Features Make Cybersecurity Culture Sustainable?

There are features that make cybersecurity culture sustainable.These includes:

• Deliberate and Disruptive: The primary goal of a security culture is to foster change and better security, so it must be disruptive to the organization and deliberate with a set of actions to foster the change.
• Engaging and Fun: Employees want to participate in an enjoyable cybersecurity culture and a challenge.
• Rewarding: For employees to invest their time and effort, they need to understand what they will get in return.
• Return on Investment: The reason anyone does security is to improve an offering and lower vulnerabilities; we must return a multiple of the effort invested.

It is important to note that a sustainable cybersecurity culture is not a once-a-year event but must be embedded in everything the employees does in an organization.

How to Build a Cybersecurity Culture.

Building a cybersecurity culture for an organization must be weaved through organizational procedures, practices and maintaining an active conversation among stakeholders (Employees, Management, and Security Team). There are steps to be taken in building a cybersecurity culture for an organizations;

Run Assessment

Assessing the current security status of the organization will pave the way to creating a sustainable cybersecurity culture as it will provide insight into addressing audit results, security and technologies priorities and any metric available to measure progress. Insight into recognizing practice that may heighten risks such as bring-your-own-device (BYOD) policies, use of organization devices, unencrypted communication (like IM and Emails), data storage on personal devices, nonstandard computer configuration, and use of software that isn’t vetted by the security team.

Outline Mission

One needs to outline the mission before working out any specific details. A clear definition of what constitutes success for security and technology come up at this stage. Make sure the mission is simple and can be easily verbalized.

Win Management Support

When executives support a cybersecurity culture, they allocate resources to it and prompt a regular discussion about the overall security of the organization. It is also clear that executives’ actions drive priorities for employees.

Win Employees Support

One must earn employees backing with departmental-level conversations (sighting cases, incidents and its impact on victims)  about the impact of cyber threats to ensure they comprehend the value of security and they are not tempted to boycott the process. It will also be good to explain to them how their compliance can help improve their personal and family security outside the workplace.

Define Roles and Expectations.

This is the stage where we will instill the notion that security is everybody’s business in the organization. Roles need to define and people need to be assigned to responsibilities. With a detailed plan, specifying roles, responsibilities for every department in the case of any security incident will help eliminate ambiguity from the organization’s cybersecurity culture.

Communication

Communicate all cybersecurity policies, guides and best practices to all stakeholders. And routinely educate employees on incidents and the resulting areas to improve. Onboarding program for new hire should be in place. Understanding phishing attacks, promoting better password management, backing up work, account access, authentication, sending personal/sensitive information, encryption/digital signing, policies and best practices are all things employees should be educated about if the organization wants them to make better choices in this regard. You can outsource this training if the resources in-house will not be enough.

Reward and Recognize

Engaging employees in routine tests in a fun way (you can make it in the form of a game played individually or as a team) and motivation for the early responder will encourage and help promote the growth of the organization’s cyberculture.  Look for opportunities to celebrate success. When someone goes through the mandatory security awareness program and completes it successfully, give them something substantial. Use public recognition to reward employees and affirm the value of proper cybersecurity. The other side of this is to create confidence that if a mistake happens, organization security experts will find solutions, offer support and skip the blame.

Conclusion

It is clear that if an organization trains its employees on Cybersecurity and such an organization does not have a cybersecurity culture in place, such training will not be effective. So it is my advice for all organizations be it private or public in Nigeria to take a step in improving the cybersecurity culture.