Culture Shock: what does the 'new normal' mean for cyber security awareness, behaviour and culture?
The last few months have certainly been challenging for individuals and businesses across the globe. As we begin to slowly establish the 'new normal', it is important for us to think about the impact COVID-19 is having on organisations and their security culture, particularly as we start to see the emergence of blended working routines.
What do we mean by security culture? An organisation’s security culture is made up of the norms that underpin acceptable behaviours. For example, an organisation with a good security culture would see behaviours that include people locking their computers when they leave their desks, reporting incidents, and actively engaging with awareness material. It is worth noting that, although we say “security culture”, the reality is more complicated than that. While there may be one overriding security culture, there will also be layers of different security cultures within one organisation, for example with differences between norms and behaviours of the security team itself compared to, say, the HR team and developers.
Over the last couple of years, security culture has been much higher up in the security profession’s agenda than ever before. For many organisations, work on security culture is not well-established but is rather in the initial phases – and then COVID-19 hit, ushering in a huge shift in organisational culture. Lots of organisations based their cultural plans and assessments on the premise that there would be a physical element involved, for example workshops, focus groups and in-person communications.
Over the last few months, many organisations were propelled into remote working like never before, and this has thrown a spanner in the works for security teams, including awareness professionals. For many this will have been a huge upheaval: with their awareness programme, face to face awareness sessions, messaging and delivery all changing in an extremely short space of time. Supporting individuals as they adjust to a remote set up whilst trying to ensure and develop a good security culture in a totally new environment, now that's tricky!
Behaviours that have been established in the workplace may have been ‘undone’ in months of remote working. If someone receives a suspected phishing email whilst remote working, for example, they can’t turn to a colleague on the next desk and ask for their opinion or advice. Locking your computer is another example. You know who is in your house so whilst you pop off to make a brew, you might not lock your computer. Or you know you're not going to have people tailgaiting through your house, so you don't think about it.
As we start to see the emergence of a blended working structure of the physical workplace and remote working, it is important that behavioural and cultural aspects of security are considered. We can see now, perhaps more than ever before, the importance of a security mindset and a risk-based approach. Focusing on why security behaviours are important, putting them in the context of a person’s environment and encouraging situational awareness will help us bridge the cyber security culture shock as we establish the ‘new normal’.