The most expensive IT security equipment is worthless if the topic of cybersecurity is not anchored in the corporate culture, and thus also in the actions of the employees. In this article, you can find out how the corporate culture can be developed step by step toward greater IT security awareness, and which department is particularly important in this process.
A study sponsored by the German Federal Ministry of Economics in 2020 reveals that many companies fall victim to cyber-attacks, despite IT security measures. From this, it can be deduced that the introduction of IT measures is not enough. Employee acceptance and adoption are also very important. The best IT security policies are useless if they are not lived and actively applied by the people in the company.
Statements by employees such as “We don’t need IT security software; everything has gone well so far” or “They can’t know my password with my cat’s name” are extremely dangerous and can cause millions of euros in damage in the event of a successful cyber-attack.
In the long term, the entire corporate culture must be changed to create an awareness of IT security among all employees.
But how can this be achieved?
The driver of the change process is the management
In many companies, the topic of IT security is anchored primarily in the IT department. From there, laborious attempts are made to educate all employees to adopt careful IT behavior. However, corporate culture changes cannot be initiated and driven solely by the IT department. IT security encompasses the management of risks and should therefore also be positioned at the management level. It is pointless if the IT department implements processes and expensive technology, makes them mandatory for all employees, and the CEO still keeps his passwords on a post-it on his laptop.
As a first step to changing the culture, it may make sense to anchor the culture change as a long-term project in the management department.
Lead the way with practiced password behavior: The supervisor as a role model
Supervisors have a major influence on employee attitudes and behavior, as they act as role models for employees. The CEO in particular should set an example of safety-conscious behavior and thus indirectly inspire employees to behave in the same way. This view is also supported by a study conducted by Stepstone job platform in collaboration with the Kienbaum Institute ISM, which surveyed 13,500 people on the subject. According to the study, managers often adapt the behavior of their superiors and transfer it to their own employees.
Accordingly, managers should set an example for their employees in the use of IT security software and communicate its importance in meetings and discussions. Another important means of achieving sustained behavioral change is through written policies. However, it is not enough for management to define them once; it is also important to communicate them and monitor compliance with them.
Another important step companies can take toward greater IT security is to define password policies. Companies that prescribe minimum password requirements for their employees are significantly less likely to be the target of cyberattacks. These guidelines must be clearly formulated and made comprehensible to every employee. Targeted training to increase employee acceptance and make the software’s usefulness clear should be mandatory for all employees – regardless of position or department.
Password management software for more password control and fun
To support the generation of complex passwords, the introduction of password management software can be very helpful. Nevertheless, this change may initially be met with rejection and disinterest by many employees, as organizational processes have to be restructured and, in the initial phase, employees have to change their behavior.
In this case, it is important that, in addition to the supervisor’s exemplary use, the software is user-friendly, and the design is appealing. In addition, when the software is introduced, employees must receive an introduction from the IT department and understand the meaningfulness and importance of the individual functions. Again, management should clearly communicate the financial consequences that simple passwords can have in the event of a cyber-attack to make the relevance of this issue clear to each individual.
But the individual benefits of a new tool should also be clear to each employee: When using password management software, employees’ disinterest often turns into interest or even enjoyment, since the tedious task of thinking up, memorizing and typing passwords is no longer necessary. Thus, employees are gradually trained in better password behavior, employees can work more undisturbed and productively, and the overall risk of cyberattacks is reduced.
Change management is a marathon, not a sprint
And so, little by little – because changing a corporate culture takes time – the holistic actions of all of a company’s employees must be changed to more IT-secure actions. During this process, the error culture is also of particular importance, as employees must be encouraged – by management and the IT department – to be able to report errors quickly and without dire consequences. This is more likely to prevent security attacks than if security breaches are swept under the table by employees in the hope that nothing bad will happen …