How to Build a Cybersecurity Culture in Your Business

In IT, the latest tools are a must to keep companies safe. But here’s why culture is just as important – and how you can foster a safer workforce.



How do you maintain a healthy immune system? Not by living in continual fear of illness, or forever consulting doctors (although that may be comforting to some), but by pursuing wellness – fitness, nutrition, and physical and mental balance.

Likewise, in business, the goal is not simply to be reactive—to keep responding to problems as they appear—but to proactively develop and execute strategies that prevent these problems from occurring in the first place. This is particularly important for IT and cybersecurity teams as, by the time a problem appears, it can often be too late.

Is your business approaching IT with a cybercrime mindset, where problems are to be feared? Or with a security-first mindset, where you focus on integrating best practices for improving the safety of your data? In this blog, we examine how IT teams can cultivate security best practices throughout the wider business and facilitate a culture shift from reactive to proactive.


Contents



Every business is in the IT business


“Major service provider suffers large-scale breach.” Headlines like this are so common now that they barely attract notice. Russia, China, and the U.S. regularly claim attacks against critical communications and energy grids, with election tampering and COVID misinformation the most recent alleged threats in fashion. 

And other countries haven’t been spared. Take Australia, for example (the home of Megaport HQ). In October 2022 alone, hackers targeted a platform containing sensitive Department of Defence data, health insurer Medibank suffered a data breach affecting nearly 10 million customers, and AFP classified documents were leaked, exposing agents fighting drug cartels.

With so many types of cybercrime rampant around the world (from critical utility sabotage, to cryptocurrency fraud, to ransomware), the cybersecurity market is projected to grow from 155.83 billion USD in 2022 to 376.32 billion USD by 2029. The challenge is ongoing – and it affects everyone. So how can IT teams shift an entire business’s mindset toward maintaining cybersecurity best practices to help protect the business at large?




Solutions


Many times, cybersecurity issues arise not because of technology gaps or system defects, but because of carelessness or ignorance on the part of employees – most often those not working in or adjacent to IT. 

According to IBM, “human error was a major contributing cause in 95% of all breaches.” This is not to necessarily blame employees, but highlights a need to focus not just on technology but also workplace culture and behaviors.

Here are some practices you can adopt to proactively make your workplace culture more cybersecure.



1. Understand your business


Prior to any other step, every organization should conduct their own business impact analysis (BIA) and risk assessment. This ensures that IT and cybersecurity team activity is aligned to the goals of the business and understands the priority areas to maintain and secure. Make this a continual practice, and don’t leave it purely to the IT department – all areas of management should be involved.

Weaknesses in business processes and procedures can occur outside of the IT team’s area of responsibility, which is all the more reason to maintain visibility and involvement of how businesses are creating, using, and sharing their data and information assets. This is also a great way to build collaborative relationships and a sense of ownership within organizations (with all the benefits of enhanced visibility and collaboration that may flow).

All cybersecurity starts with good IT governance. The following activities may be common knowledge to IT and cybersecurity teams but may not be to other non-technical teams. Even where it falls outside their purview, it is worth sharing these basic IT and cybersecurity goals with the wider business in order to communicate how and why your teams work to securely deliver IT services.

  • Build and maintain secure user systems – ensure there is proper encryption, anti-malware is enabled, and software is regularly updated
  • Enable secure and reliable storage – provide approved and encrypted storage services, regular backups, and periodic recovery testing
  • Securely connecting resources – build low-latency, security layered networks to connect users to data centers and cloud services
  • Email and spam filtering – ensure that only relevant emails arrive in your inbox and that a fraudster’s phishing email is blocked
  • Enable identity and access controls – enforce strong passwords, implement two factor authentication (2FA), and consolidate logins where possible
  • Maintain continual awareness – communicate threats and risks to the business as well as the procedures for staff to follow in the event of a concern or incident.





2. Implement relevant protections


After conducting your BIA and risk assessment, do IT and cybersecurity teams understand business goals, constraints, and reasons how and why certain business processes are conducted? Which areas present the biggest concern? What changes are required to best protect against any weaknesses? 

By assessing the risks in the context of the business goals, the IT and cybersecurity teams can devise practical and enforceable mitigations against threats. They can then plan a roadmap to implementing necessary changes that minimize disruption (and hopefully annoyance) to your staff. People will generally follow guidelines if they understand that there is reasonable purpose and alignment to business goals. 

IT and cybersecurity teams engage best when available to discuss why certain guidelines are implemented and advise as necessary on the best way to implement or comply. This typically includes:

  • Onsite security how to handle visitors, locking sensitive documents, and other audio-visual equipment
  • Removable media how can USB sticks, SD cards, optical or magnetic media be securely used (or better yet – don’t use them at all)
  • Mobile devices – what information or business systems can be accessed and how
  • Remote site security any additional precautions or requirements for home or public spaces and Wi-Fi
  • Cloud services – what is acceptable use for implementing cloud services and storage of business data 
  • Being email savvy never click suspicious links, download unknown files, or follow strange instructions sent in email
  • And being web savvy – check for secure sites (HTTPS), take care on social media, and take care in where you transfer files
  • Confidentiality and privacy – ensuring that information and data is only accessed or known to those who require it
  • Keeping your identity secure never write or share your (strong, complex) passwords or tokens


Whatever training it may be that you provide, and however it is delivered, the key is to do so with purpose and enthusiasm. Mindset matters – if you offer half-measured programs of dull compliance training videos, you can expect similar results.




3. Engage and cultivate buy-in


Ultimately, the purpose of IT is to enable the technology tools required to conduct business serving both the employees and your customers. IT and cybersecurity are more than a means to operate the business on a logistical level – but a hub of knowledge and support for others to perform their role. Technology permeates every aspect of your business. 

To ensure everyone is engaged and supporting your initiatives, propose relevant, reasonable controls that solve clearly articulated problems instead of dictating requirements. Solicit and consider feedback regarding productivity and other potential business impacts. Integrate communications with operational and leadership discussions to maintain effective awareness and stakeholder feedback loops. Speak to the business partners in terms they understand and seek to understand the business. Recognise security champions and reward achievement. Employ relevant, and engaging, awareness and training in regular, consumable packages.


Summary


Crime is a fact of human societies around the world. Information technology and the Internet bring the world together in unprecedented ways, so it is inherently a medium for crime of many varieties, scales, and motivations. As a result, measures to prevent or minimize IT crime can feel like an endless game of cat and mouse.

Instead of considering cybersecurity as an obligation or roadblock, leverage your relationships with partners in the business to embed protections and good practice into the foundation of the business. Seize it as an opportunity to cultivate greater awareness and unity in achieving business objectives.

By curating continual assessment and awareness processes, you can quickly react to changes in the threat landscape and develop controls suited to your organization. By embedding processes and communication channels into other teams and business units you can develop, revise, and adapt policies, processes, and procedures that align with business objectives and constraints. By soliciting and considering feedback you get everyone involved – because that involvement is meaningful and genuinely helpful. Monitor the sentiment of your people, not just their completion of generic online compliance courses.

And ultimately, by not viewing cybersecurity as merely a cost and an inconvenience or, worse, as some hypothetical threat, your organization will be poised to meet the challenges presented by the continual change in technology.




Cybersecurity and Megaport


Virtualizing your network with a secure private provider helps streamline your network security and gives you more time to focus on people. Provisioning virtual private connectivity with a Network as a Service (NaaS) provider like Megaport will shield your data from transiting the public internet, and will instead provide a protected path between your locations, cloud providers, and platforms.

When you connect to Megaport’s vendor-neutral Software Defined Network (SDN), you’re enabling a private network backbone that can be applied across your entire network for better security, performance, and ease of management. With on-demand provisioning and no lock-in contracts, customers can also future-proof their architecture with the ability to scale their network up in real time as they grow, as well as full network visibility via the Megaport Portal.

Our Megaport API allows customers to get even more control over their network by automating a range of Megaport-related processes and enabling on-demand private connectivity between customer, marketplace, and cloud-service provider locations. Meanwhile, Megaport Virtual Edge (MVE) gives customers control of their network from end to end, meaning they can keep a closer eye on security controls and protect their data to the edge.

You can also easily and securely integrate your network through SASE (if partnered with Fortinet or Versa) for a NaaS and Security as a Service (SaaS) fusion that supports faster speeds and higher bandwidth without compromising on security. This solution enforces consistent security policy at the cloud services level, meeting users wherever they are, on any device; the security perimeter allows direct communication to the resources that your end users need to access. We have also been looking at advanced security measures for our network through quantum cryptography: You can read more about that in our blog here.



Discover how Megaport’s private and secure connectivity solutions could help you – book a demo today.



Robert Miller
Information Security Manager

Filed under: Blog

Get the latest cloud insights delivered.