People have the potential to be an organisation’s best defence against cyber threats and fraud. This is especially true as companies continue to embrace work-from-home models and hybrid office and remote working structures.

With perimeter security lines blurred, more people being left to their own devices, and most cyber threats leveraging the human factor, building a cyber secure culture should be at the heart of effective cyber risk management.

“Many cybercriminals target individuals through malware and phishing scams, putting employees on the frontline of the fight against cybercrime. It is evident in the scourge of cybercrime since March that work-from-home models have made companies, their people and their data vulnerable. However, suppose cyber security is a culture within your organisation. In that case, it does not matter whether your employees at the office, at home or a bit of both,” says Charl Ueckermann, who has recently been appointed as Group CEO at AVeS Cyber International.

Inculcating a cyber secure culture has its roots in training staff on the dos and the don’ts around their use of technology and data resources. Yet, many companies are not providing ongoing cyber security training, despite the increased risks associated with remote working.

A survey by Malwarebytes, Enduring from home: Covid-19’s impact on business security, showed that 44% of companies did not provide cyber security training focused on the potential threats of working from home and 55% of company leaders cited the need to train employees on how to securely work at home as the top challenge.

“The dilemma is that cyber security is a difficult concept to grasp. People struggle to believe in what they cannot smell, taste or feel. Similarly, the average user of technology cannot hear, see, smell, touch, and taste cyber threats. They feel removed and untouched by them. That is until they are impacted by a cyber incident, data breach, fraud or identity theft.

“That is why developing a cyber secure culture, where everyone at every level of the organisation buys-into and participates in the cyber security strategy, is more effective than merely having a tick-box approach to cyber security awareness training. When cyber security becomes a culture in an organisation, two things happen: employees understand their role in the cyber security strategy, and they know how management expects them to respond to incidents.

“Culture is developed from strongly held value systems that are strategically supported. When safety forms part of your business values, your business continuity, the integrity of your data and sustainability of your business becomes a culture. These values must be driven from the top and be reinforced by both structure and strategy to ultimately shape employee perceptions and behaviour.

“Management plays an instrumental role in shaping and sustaining a strong cyber secure culture. If a company’s leadership does not buy into the importance of a cyber secure culture, it is unlikely that employees will,” explains Ueckermann.

Citing a 2020 Gartner report The Urgency to Treat Cybersecurity as a Business Decision, says company leaders are realising globally that they need to change how they approach cyber security and risk management.

“For decades, IT and business have been separated, with few senior managers or execs understanding the impact that cyber security, or lack thereof, had on the business. This is changing, and company leaders realise that cyber security is not solely a technological issue. It is a business issue that can’t simply be addressed with a few add-on solutions. It must be integrated and aligned with the business objectives. People, processes and technology all work together to form a secure culture.”

Ueckermann concludes: “Inculcating a cyber secure culture can create a stronger defence against cyber threats than the most robust technologies or any single policy or procedure. Start building a robust cyber secure culture by embracing cyber security as a core business value, making it a key organisational priority, and reinforcing its importance through ongoing communication, clearly defining policies and procedures, and investing in training.”