Article  

Build a security culture of openness. Sharing is caring!

A safety culture that really works, needs to be based on openness within the organization; an understanding that it’s good to both acknowledge and report errors and deviations. This is one of the key success factors for increased information security. Joakim Hvalby writes, Program Manager Information Security in Junglemap.

Information security
NanoLearning
Blog
Build a security culture of openness. Sharing is caring!

Image: piqsels.com license free

Information security is no longer an IT issue. It is essentially a strategic issue for organizational management. More and more organizations understand that various types of cyber-attacks pose a serious threat to the entire business. According to a study by KPMG, 18 percent of global business leaders state that cybercrime is the biggest threat to their profitability and growth in the coming years. An increase from 10 percent since last year.

The safety culture is crucial

Recognizing that an issue is strategic is one thing. Knowing how to manage it long-term, another. And there are no 'quick fixes' here. Strengthening information security is basically about creating a functioning security culture built on openness.

Most organizations go through the same stages in their security work:

  1. Denial
    Many organizations are still in a type of denial, an attitude that "as long as nothing happens, we don't need to do anything."

  2. Reactive
    Too many companies and organizations have realized that information security is important – once the accident has occurred. Incidents always lead to activity. But the reactive approach is not enough.

  3. Systematic
    We see that more and more of Junglemap's customers have information security as part of their management systems. It provides stability and increased opportunity to both act quickly and efficiently.

  4. Proactive
    When security-thinking becomes part of the organization's development work, you’ve come a long way. To ‘add security’ late in the process is never good. Security, that is already considered when new systems and working methods are set up, has a much better effect.

  5. A part of our daily routines
    Only when information security is part of every employee's everyday life. When IT security is at the core. A security culture with the possibility of increasing a company’s security level is in place.

For an organization to have an opportunity to take these steps and create a functioning safety culture, a culture of openness is also required. An organizational culture that makes all employees feel encouraged to share errors and mistakes - even ones they have made themselves - and where those who report suspected errors and shortcomings are rewarded, not criticized, and questioned.

Hidden statistics
Although we are constantly  provided reports of the increased number of cyber-attacks, it’s just the tip of the iceberg. Most organizations that are exposed to e.g. ransomware choose not to communicate this, in an attempt not to damage their brand. There are studies indicating that only 10 percent of all cyber-attacks are actually being reported.

I think it’s a big mistake. In the last year, we’ve seen several examples of organizations that have strengthened their brands through their openness. Both the Swedish retail company Coop, Kalix municipality and the Norwegian industrial company Norsk Hydro have all won appreciation and respect for their way of communicating what they have been through.

What’s needed is a culture of openness both within organizations and between organizations. Within industries and across sector boundaries. Without a shared culture of openness, those of us who work for increased information security will never have a chance against cybercriminals - who, after all, are constantly sharing knowledge and experience.

We are now launching the 2023 edition of Junglemap's Information Security Awareness course. Many of our customers have used this course continuously for many years. And the effects are clear: 93 percent of the participants say that they are more aware of security issues after taking the course, and many of our customers tell us that the number of questions to the IT department increases, that more employees report errors and things that seem suspicious.

And that's exactly what NanoLearning is all about. Creating awareness - all year round. Security is not something you have just because the technology is in place. It's ultimately about what your employees do. With NanoLearning, we can both overcome the forgetting curve and contribute to a safety culture built on openness.

Jenny Peters
Article   November 18 2022