Cyber Security Culture Principles: Culture is Key to Resisting Attack

The National Cyber Security Centre (NCSC) has launched a new set of cyber security culture principles. These have been developed following considerable research and describe the kind of culture that can help businesses stay cyber secure.

Cyber security is about protecting computers, networks and data from theft, damage, or unauthorised access. It also helps to keep personal information, business systems and online services safe from cyber attacks.

The guidance talks about cybersecurity teams and much of it may be more suited to larger organisations, however in view of how vital technology now is in business and the increasing prevalence of cyber attacks, businesses of all sizes will find some benefit in it.

Here’s a brief review of each principle.

Principle 1: Frame cyber security as an enabler, supporting the organisation to achieve its goals.

If not careful, cyber security could be seen as a barrier to getting the job done. For instance, an employee might see security procedures as wasting time that might mean losing a sale.

There may need to be an adjustment in thinking and goal-setting so that everyone sees security as something that helps the business achieve its goals – safely and with confidence. The guidance explores some ways you can achieve this.

Principle 2: Build the safety, trust and processes to encourage openness around security

If people feel there will be negative repercussions, they will be unlikely to speak up. They might cover up mistakes, not challenge others who break rules, or not volunteer ideas that could help improve security.

Therefore, it can be helpful to think about what processes you have in place to avoid this kind of thinking and help staff to feel safe.

Principle 3: Embrace change to manage new threats and use new opportunities to improve resilience

Sticking to the way things have always been done can leave a business vulnerable to new threats.

A security breach or online attack can reveal gaps in how you protect your systems or data, showing you what needs to be improved. By fixing these issues and updating your approach, your business can become more secure and be better prepared next time.

Principle 4: The organisation’s social norms promote secure behaviours

This means that staff are expected to act safely online, and it becomes part of how things are done in the business. When good security habits are normal and encouraged, everyone is more likely to follow them.

Principle 5: Leaders take responsibility for the impact they have on security culture

Leaders in the business have a huge influence on staff behaviour, so it’s important that security policies are supported by word and example from the top. Staff are likely to follow an example, which could mean ignoring a policy if their boss does.

Principle 6: Provide well-maintained cyber security rules and guidelines, which are accessible and easy to understand

The guidance helpfully mentions that rules that are too prescriptive become unwieldy and outdated which will eventually harm efforts to be secure. On the other hand, rules that are too vague or casual leave people stressed and unsure of what to do.

The guidance provides some ideas on how to strike the right balance.

What next?

Why not review the guidance to see how these principles could be applied in your business. The more cyber secure your business is, the more resilient it will be against threats and that can only help your business to keep growing!

See: https://www.ncsc.gov.uk/collection/cyber-security-culture-principles