Now is the time for cybersecurity policies to become as ubiquitous and accepted as workplace safety policies. Cybersecurity today is where physical safety was 40 years ago—there are few regulations or standards, and those that exist often feel arbitrarily imposed. Cybersafety is not an expected or regulated part of corporate culture. This is a critical moment not only in the cybersecurity landscape but in baseline corporate behavior. It is time for leaders to create cultural changes that support cybersecurity policies and make them as requisite as safety and compliance standards.
Years ago, factory work was incredibly hazardous and unregulated. There was no outside governing body to oversee safety measures in factories. There were no safety postings or signage distributed in the work environment. Only when workers fought for industry standards did entities like OSHA begin ensuring safer environments. Safety meetings, equipment maintenance and protective barriers became standard. Incidents are now debriefed in the open—manufacturers have signs announcing the days or years since the last accident. Before the 1970s, however, workplace safety expectations were rare and accidents were accordingly routine.
Imagine this: A new employee enters a manufacturing plant and their supervisor tells them to figure it out on their own. So, they start pushing buttons, moving levers and maybe even hanging out with the buzzsaw—much like a toddler without supervision. If somebody cut off a digit, employers quietly sent them to the hospital, and the employee returned to work as though nothing happened. No one talked about the accident or tried to fix the machine that caused it.
In this century, such events seem preposterous and wouldn’t be acceptable in any organization. Yet, this is how we treat our companies when we don’t create a culture of cybersecurity.
As of 2022, cyber attacks cost the U.S. economy an average of $9.44 million, rising yet again year over year. Because of advanced hackers’ sophisticated methods, no person or business is immune from cyber issues—even people who don’t have laptops. Today, companies are even more vulnerable to cyberattacks for the same reasons that caused tragic workplace accidents: few standards and no oversight. This must change.
Fight For Cultural Change
Cultural change is the first step that must occur if we expect our businesses to be protected from cyberattacks. Just like safety measures implemented across industries to protect workers, we need a cross-industry focus on digital safety and cybersecurity. Our broader culture must understand cybersecurity is as critical as wearing hard hats and neon vests on a construction site.
Business leaders are responsible for cultural change within their organizations to ensure both short-term and long-term thriving. This requires emulating certain behaviors that will better protect your organization (i.e., taking more time to read something before clicking on it or looking for funky URLs and addresses that differ from the usual information resources). It also takes a conscientious effort to incorporate cybersecurity measures into the work environment just as you would address any other threat (such as physical building security or safety with machines and systems).
Master The Fundamentals
Protecting your company doesn’t have to be complicated. There are basic routines organizations must follow—multifactor authentication, pen tests, threat hunts, wiping sensitive data from old devices, etc.—these are table stakes. Every organization must master these. Do the maintenance—regularly patching and updating all software and firmware allows every device to function at its optimal level but also provides critical fixes for newfound vulnerabilities.
Team members must understand these are everyday, ongoing practices. Foregoing steps like multifactor authentication, pen tests and threat hunts is the cyber equivalent of a surgeon not washing their hands before operating or a traffic patrol officer starting work without a regulation safety vest. Each person must understand that these cybersecurity measures are what allow their real work to begin.
Software Alone Won’t Solve Cybersecurity Issues
Technical solutions such as anti-malware software are only effective when used in tandem with employee education. Continuous training must be required for all stakeholders, including third parties who access your organization’s information. Employees must also be trained to understand and report insider threats so your company can act quickly when those threats arise. Discuss your organization’s “crown jewels” that need special attention, provide a case study on prior breaches and teach them to recognize signs of a security incident. Having a conversation about potential problems at an organizational level is a healthy habit to form.
Cybersecurity Is A Never-Ending Journey
Cybersecurity is a continuous journey toward understanding the level of risk and the threats your organization faces and responding accordingly. Leaders and their teams must understand that cybersecurity regulations are just as important as physical safety regulations. Understanding common threats, educating your employees on what to watch out for and learning the best practices to secure your company’s digital assets are vital steps to limit the frequency and severity of these attacks.