How to End the Culture of Silence in Cyber Security

Do you believe everyone in your company would speak out if they suspected phishing or a cyber-attack was imminent? Can you conduct difficult cyber security discussions with your board of directors or management team?

The phrase "Culture of Silence" is more significant than ever in cyber security. When you add compliance to the equation, you have a recipe for employees to remain silent out of fear of getting in trouble.

We're here to explain why the culture of silence is becoming a significant issue and how to develop a more open security culture.

Why do individuals remain silent in the face of a cyber attack?

Most people will encounter or become a victim of a cyber attack at some point in their careers. It's becoming increasingly common for each of us to have a shared experience to which we can all relate. So, why shouldn't employees be concerned about this risk? Why wouldn't they tell you about the phishing scam they just avoided or fell for?

Our analysis reveals two main explanations, which I'll explain below:

1. People do not want to appear ignorant.
2. Nobody wants to get in trouble.

Consider this moment: this isn't exactly a novel notion to us. If someone breaks into our house, we phone 911, and they come to our aid. If we are in a car accident, we call for medical assistance. When we are unwell, we seek medical attention. Yet, when these events occur, we rarely blame the victim, so why are we all being blamed for cyber attacks?

Imagine leaving your front door unlocked and wide open, only to have it broken into. You wouldn't be proud of the story and wouldn't want to talk about it to anyone unless necessary.

Because no one wants to appear foolish to others, our natural defensive strategy is to remain silent.

This is what is occurring in our industry. We make very clear and avoidable mistakes. Of course, it would be embarrassing for anyone to admit to an obvious error, and this is no exception. Our objective is to assist folks in understanding what those apparent and avoidable mistakes look like and to prevent them from happening in the first place.

Employees should not be embarrassed to disclose cyber errors or accept that "it occurs." As technology advances, cyber attacks will become more common.

So now is the moment to take action before things worsen. Unfortunately, this leads to a culture of silence because people fear appearing ignorant in front of their peers. Therefore silence wins.

Nobody wants to get in trouble

We generally like to follow the rules. So if something out of the ordinary happens, we're alarmed. We don't want to get in trouble just to be safe. While this innate tendency is helpful in other situations, it's not ideal for security or compliance. We need to foster a culture that values reporting problems, one that loves cooperation and trust in others to support one another.

Trust is the foundation of an excellent security and compliance program.

So we need to be able to trust our staff to make informed decisions, even when we're not looking. We have to trust that they will disclose any security vulnerabilities. We must rely on them to notify us of any violations of compliance.

While we encourage employees to report phishing emails to their IT department if they're using Curricula at work, there isn't a suitable method for individuals to write them. This places a great deal of burden on the individual to feel independent.

As a leader, you are responsible for encouraging and supporting this behaviour by demonstrating its effectiveness in preventing attacks. Demonstrate to your staff that you rely on them for success.

Who is the most vulnerable to cyber-attacks?

In a nutshell, everyone! Anyone with a password, an email account, a phone, or an online presence is exposed to a cyber attack. Nowadays, it's practically hard to find somebody who doesn't meet one or more of those requirements.

Some, however, are targeted more than others:

• People over the age of 65: Unfortunately, cybercriminals will target weak people who aren't digitally proficient and aren't aware of what cyberattacks are. My grandparents have been attacked on several occasions and were even the victims of a computer attack.
• Adults in their twenties: People under the age of 25 are paradoxically ignorant and overconfident about their familiarity with technology and security.
• Remote Workers – Cyber attacks on employees have become more common as firms have gone remote. Employees may be utilizing their own infrastructure, such as WiFi, making monitoring everyone's cyber behaviour difficult.
• C-level executives (or those who work closely with them): Spear-phishing is the primary attack technique for this category. Messages may be designed to appear incredibly believable.

All these groups have one thing in common: They probably wouldn't share their experiences unless they feel safe about doing so. So to start sharing, we need to establish a culture of security and transparency.

Making efforts to foster a culture of security

Companies must set the tone by encouraging employees to speak out, educating their staff through security awareness training, and reporting attacks when they occur. This might save you not just time and money but also your organization's reputation.

Cyber attacks are unavoidable, and the only way to prevent them is through education and sharing past experiences so that history does not repeat itself.

Organizations that intentionally hide their cyber issues only ruin their reputation instead of acknowledging their mistakes and taking corrective action. This is essential in increasing the transparency of cyber attacks and becoming more aware of what we are dealing with. However, building a security culture entails more than simply talking the talk; it also entails walking the walk.

How to Establish a Cyber-Safe Workplace

Those of us who work in cyber security have heard stories from friends, loved ones, and coworkers who tell us, "someone actually attempted to phish me," and then share their story of the cyber attack. So it's evident that people not only need to talk about it, they want to. It's only a matter of taking the initial step.

Here are three (3) things you may take to help eradicate the culture of silence:

1. Sharing is caring: Being upfront with family, friends, employees, and employers about cyber threats may help lessen and even prevent some from occurring.
2. Involving Education: Using entertaining security awareness training to educate oneself and employees on cyber best practices might help. Even if you are technically savvy, it doesn't imply you understand all of the intricacies of cyber threats. They're more than just phishing and may take numerous forms. Ransomware, smishing, malware, passwords, social engineering, and other subjects should be included in the training.
3. Create a security culture: Employees tend to hide for fear of getting into trouble. This is a clear indicator of a lack of security culture. To create a strong security culture, your staff must have open lines of communication. Utilize engaging strategies to get employees interested in training and drive your business to work together.

The fast rise in cyber attacks can only continue unless people become more aware of the dangers they confront. A cyber attack has considerably more severe consequences than saving face' as an individual or institution. So let us work together to shatter the quiet and urge our staff to collaborate.

About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cyber Security Awareness Training Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

Visit Rhyno Cybersecurity