The cybersecurity industry has spent the past decade urging businesses to make all their employees take responsibility for cybersecurity. It is a fair and reasonable strategy with a lot of merits – but is it really the most effective approach to drive forward a conscious cybersecurity culture?
In reality, putting the onus on the average employee to take accountability for ensuring cybersecurity measures are fully implemented could actually increase the potential risk of a security breach. Taking it a step further, there is an argument to say it could even be irresponsible.
Reaching the limit of what we can teach employees
After reams of awareness training – some more effective, some less so – it’s becoming clear that there is only so much businesses can teach employees whose roles are not focused on IT and cybersecurity.
Security training is important for all organisations, particularly as it exposes employees to critical security concepts and practices, encouraging them to be responsible cybercitizens in and outside of work. One of the most critical aspects of cybersecurity for businesses is educating and raising awareness among employees, particularly as human error remains one of the leading causes of security breaches.
However, despite how well-intentioned the employee might be, teaching them the complexities of cybersecurity practices when they have limited time and expertise in the subject can be challenging and deliver limited returns.
Ultimately, it comes down to a few human truths. People are busy. They’re focused on their immediate goals, such as how to ensure a project runs on budget or how to secure their next promotion. Cybersecurity isn’t top of mind – at best it can be a nuisance to them and at worst an imposition that makes their jobs harder.
Hackers are constantly changing their approaches
In today’s digital age, businesses face an ever-increasing threat of cyber-attacks. From phishing scams to malware, cybercriminals are constantly devising new methods to infiltrate networks and steal valuable data.
Every day in the UK approximately 65,000 hacking attempts target small- to medium-sized businesses (SMBs). Shockingly, about 4,500 of these attempts succeed, resulting in significant security breaches. This means that over a year, roughly 1.6 million out of the 5.7 million small and medium businesses (SMBs) in the UK fall victim to successful hacking incidents.
These staggering statistics highlight the urgent need for robust cybersecurity measures to protect SMBs from the ever-present and evolving threat landscape.
However, the average employee can only be so aware of these threats and conscious of implementing robust cybersecurity measures every day. It’s not their job to keep up with the hackers and their constantly changing approaches to cyber-attacks – and we shouldn’t expect them to.
The C-suite needs to step up
But if taking ownership for cybersecurity is not down to everyone in the organisation, who is it down to? Ultimately, the C-suite needs to not just legally take command – it needs to drive a culture of cybersecurity, to embed accountability and create new norms of behaviour.
Developing and implementing a comprehensive cybersecurity strategy, which is imbued in driving a strong cybersecurity culture throughout the business and embeds C-suite accountability, is among the first step business leaders should take. Setting this example from the top down is a critical part in driving cybersecurity awareness across the organisation.
From there, the rest of the organisation can be empowered to play their part – but in a considered, appropriate, and effective way. That includes implementing the right security tools, ensuring employees are trained on cyber risks, establishing an incident response plan, regularly assessing security risks, and staying up to date with the latest security trends. These are all essential in making sure the organisation remains protected against today’s cyber threats. Yes, everyone has a role in that – but taking responsibility? That starts at the very top. Businesses which have embraced this ethos and put it at the core of their cybersecurity strategies are among those best equipped to tackle the risk.
