Blog & Tools

Strength of cybersecurity culture tied directly to a business's risk

notebook with passwords written down

If you write your passwords in a notebook, don’t know what MFA means or are unsure how to report a cybercrime — you’re not alone. According to research from the National Cybersecurity Alliance (NCSA), we’ve still got a long way to go to reach significant culture change in online security.

The NCSA conducts an annual study that examines attitudes and behaviors around internet-connected devices and perceptions of security. The survey polled 2,000 people in the U.S. and United Kingdom about attitudes and behaviors with cybersecurity. Lisa Plaggemeir, interim executive director of the NCSA, shared initial findings from the 2021 report at the Greater Sioux Falls Chamber of Commerce's annual Cybersecurity Conference.

The NCSA’s vision is to empower a more secure, interconnected world. Basically, the non-profit helps market the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS), Plaggemier said. NCSA has a number of programs and initiatives to help small and medium-sized businesses promote online safety and security.

“It’s disappointing how many companies haven’t made it easy or standardized. People just don’t know how. We need to be constantly reminding our end-users how to report and to keep it really simple,” she said.

Reporting security issues was just one aspect of the survey; the report also addressed feelings, confidence, victims, responsibility, behaviors, advice, and barriers related to cybersecurity.

Plaggemeir went through a high-level view of the report results and some advice for businesses on how to make improvements on culture change:

  • Password hygiene — use password managers instead of those notebooks to organize secure passwords
  • Start with a hook — instead of focusing on fear, talk about why it matters and sell ease of mind instead of threats
  • Acronyms are alienating — people tune out right away so try and resist using them with the general user population in your business
  • Avoid the “curse of knowledge” — assuming everyone understands. Also avoid the “curse of passion” — assuming everyone will do the right thing
  • Enforce rules — people will change behavior when they have to follow them
  • Use MFA (Multi-Factor Authentication) – it provides an additional level of friction by requiring a user two or more verification factors; but once it’s set up, the survey found people do use it.
  • Make it easy to report incidents — from cyber threats to “phishy” emails, enable employees to know where or who to turn to with questions

Employee engagement also plays a role in cybersecurity. Unfortunately, not everyone is engaged. Gallup provides a survey about the levels of employee engagement and says, overall, only 36% of US employees are engaged.

When management or IT relies on the argument that employees “will do XYZ to protect the company,” and those employees don’t care about the company, that’s not a good argument, Plaggemeir said.

“This data tells us engaged employees are also important in securing the organization. We rely on it, but there isn’t the emotion there to secure it,” she said.

Behavior is emotional and once people can get over that initial barrier, they’re able to make changes, Plaggemeir said.

“Why aren’t people keeping good habits? Lack of trust — people don’t know how these things work and they have automatically decided they don’t trust them,” Plaggemeir said. “This idea of lack of trust is really critical here. It’s intimidating, it’s too complex. We need to make it easier.”

People are incredibly connected and use a number of connected devices. So, Plaggermeir says better understanding the barriers to cybersecurity can ultimately help change behaviors.