How to establish a cybersecurity culture
A large share of cybersecurity incidents in organisations have been attributed to the activities and behaviour of staff members. The culture within an organisation has a strong influence on staff behaviour and the choices they make in their work. Understanding the character of this culture is crucial information to both understand and improve how cybersecurity practices are integrated into healthcare organisations. As such, investing in a security positive culture will help to lower and prevent security incidents. Organisational culture is influenced by what personnel believes to be the accepted beliefs and values of the organisation. As a result, these steer group and individual behaviour (Thomson, Von Solms, & Louw, 2006; Van Niekerk & Von Solms, 2010).
Cybersecurity culture and healthcare
Cybersecurity culture refers to “knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest in people’s behaviour with information technologies” (ENISA, 2018, p. 7). With the increase in healthcare technologies, and with devices connected to digital infrastructures with a myriad of vulnerabilities, cybersecurity is becoming increasingly important and is more and more considered to be a patient trust and safety concern (Coventry & Branley, 2018).
Determining the current cybersecurity culture
Before undertaking actions to improve the culture within an organisation, it is necessary to analyse the current standings and issues of the current organisational culture. While it may seem that human behaviour is the primary issue for cybersecurity incidents, it may serve as useful to determine if there are underlying causes that lie within organisational processes and requirements that reinforce cyber-risky behaviour. Additionally, resistance and workarounds to security measures by staff members may not always stem from bad intentions, but can stem from fear or shame (SecureHospitals.eu, 2019).
It is best to use multiple sources to assess the current cybersecurity culture. The following list contains sources to determine the current culture in an organisation (ENISA, 2018; SecureHospitals.eu, 2019):
- Use surveys, observation and/or interviews to assess staff members’ knowledge, beliefs, perceptions, attitudes, assumptions, norms and values.
- Review organisational processes and policies.
- Interview management to assess where the core issues lie for their teams.
- Use IT security tools, log files and IT support tickets to determine key issues.
- Employ security testing methods, such as phishing and malware campaigns, to determine employee response.
A report by ENISA provides insight into how to create a plan to assess the current cybersecurity culture and how to create an effective program based on the results. You can find the report here: https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations
Addressing and improving security culture
Organisational culture develops naturally and over time, however, there are several ways in which an organisation can support the growth of a cybersecurity aware and focused culture (ENISA, 2018). The following list contains items that are not limited to healthcare organisations but have been found to be critical in interviews with trainers and experts who work in that context (SecureHospitals.eu, 2019):
- Incorporate physical communication materials (e.g. posters, leaflets, banners) as well as digital materials (e.g. messages on staff portal, emails) in the communication strategy.
- Relate to the experience and interests of the target audience in every communication outlet.
- Implement training to support knowledge and skill raising in staff members.
- Appoint champions in each team who can both advocate for cybersecurity behaviour and support team members who need help.
- Support open communication about cybersecurity and address concerns that staff members raise.
For more insights into training and improving cybersecurity in healthcare, you can read the trainer interviews report. You can download the report here: https://project.securehospitals.eu/deliverables/
Factors for success in creating a cybersecurity positive culture
There are several mitigating factors that should be taken into account for the successful implementation of cybersecurity positive cultures.
- Implementing a cybersecurity positive culture needs a focus on creating multi-department teams. A single person may be effective in specific departments or teams, but usually not across an entire organisation (ENISA, 2018).
- The organisational leadership, in particular its executive board, should be an active and vocal supporter of cybersecurity initiatives (Coventry & Branley, 2018; ENISA, 2018).
- The culture in an organisation does not change overnight (Van Niekerk & Von Solms, 2010). Stakeholders need to be aware and adjust their expectations accordingly. Programs should calculate sufficient time for running cybersecurity initiatives .
- Values and beliefs are influenced by knowledge and skills of staff members, so investing in training will support developing a cybersecurity culture (Van Niekerk & Von Solms, 2010).
- Provide insight into why certain measures are implemented, as this will increase acceptance of the new measures. It is not always necessary that employees need to have a deep understanding of technical ins and outs of something, as long as they understand and accept the importance of whatever measures are being implemented, and if the process itself is workable within workplace contexts (SecureHospitals.eu, 2019).
- ENISA’s framework for designing interventions for human aspects of cybersecurity: https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity/
- Six ways to develop a security culture by Chris Romeo: https://techbeacon.com/security/6-ways-develop-security-culture-top-bottom
- ISACA and CMMI Institute’s 2018 Cybersecurity Culture Report: http://www.isaca.org/info/cybersecurity-culture-report/index.html
- Losing the cybersecurity culture war by John Schoew: https://www.accenture.com/us-en/blogs/blogs-losing-cybersecurity-culture-war