06-09-2024, 03:05 PM
News Building a Culture of Cybersecurity: Why Awareness and Training Matter
<p><img width="1000" height="667" src="https://thecyberexpress.com/wp-content/uploads/security-culture.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="security culture" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/security-culture.webp 1000w, https://thecyberexpress.com/wp-content/u...0x200.webp 300w, https://thecyberexpress.com/wp-content/u...8x512.webp 768w, https://thecyberexpress.com/wp-content/u...0x400.webp 600w, https://thecyberexpress.com/wp-content/u...0x100.webp 150w, https://thecyberexpress.com/wp-content/u...0x500.webp 750w" sizes="(max-width: 1000px) 100vw, 1000px" /></p><span style="color: #ff0000;"><em><strong>By <a style="color: #ff0000;" href="https://www.linkedin.com/in/sithembile-songo-08695328/?original_referer=https%3A%2F%2Fwww%2Egoogle%2Ecom%2F&originalSubdomain=za" target="_blank" rel="nofollow noopener">Sithembile (Nkosi) Songo</a>, Chief Information Security Officer, ESKOM </strong></em></span>
<span style="font-weight: 400;">According to the Ultimate List of Cybersecurity Statistics, 98% of cyber attacks rely on social engineering. Social engineering and phishing attacks tactics keep on evolving and targeting a diversified audience form executives to normal employees. Advanced phishing attacks that can be launched using GEN AI. There is also a shift in motivation behind these attacks, such as financial gain, curiosity or <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-data/" target="_blank" rel="noopener" title="data" data-wpil-keyword-link="linked" data-wpil-monitor-id="4695">data</a> theft. </span>
<span style="font-weight: 400;">Recent attacks have shown that <a class="wpil_keyword_link" href="https://thecyberexpress.com/cyber-news/" target="_blank" rel="noopener" title="cyber" data-wpil-keyword-link="linked" data-wpil-monitor-id="4694">cyber</a> criminals continue to use various social engineering tricks, exploiting human weaknesses. Attackers are evolving from only exploiting technology vulnerabilities such as using automated exploits to initiate fraudulent transactions, steal data, install <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-malware/" target="_blank" rel="noopener" title="malware" data-wpil-keyword-link="linked" data-wpil-monitor-id="4691">malware</a> and engage in other malicious activities. </span>
<span style="font-weight: 400;">Furthermore, it is a well-documented fact that people are deemed to be the weakest link in the cybersecurity chain. Traditional security controls put more focus on the technical vulnerabilities as opposed to the human related vulnerabilities. Threat actors are transitioning from traditional system and or technology related cyber-attacks to human based attacks. The cyber criminals have identified and are now taking advantage of uninformed or untrained workforce by exploiting the human related vulnerabilities. </span>
<span style="font-weight: 400;">Employees often make it too easy by posting a huge amount of information about themselves, including daily status, activities, hobbies, travel schedule and their network of family and friends. Even small snippets of information can be aggregated together. Bad guys can build an entire record on their targets. Employees, especially those that are targeted, should limit what they post. Bad guys leverage on other weaknesses, such as the improper destruction of information through dumpster diving and <a href="https://thecyberexpress.com/totalrecall-tool-extracts-recall-data/" target="_blank" rel="noopener">unencrypted data</a>. The three most common delivery methods are email attachments, websites and USB removable media. </span>
<span style="font-weight: 400;">Properly implemented USB policies and trained users can identify, stop and report phishing attacks. Well-educated workforces on all the different methods of social engineering attacks are more likely to identify and stop the delivery of these attacks. </span>
<span style="font-weight: 400;">While malicious breaches are the most common, inadvertent breaches from human error and system glitches are still the root cause for most of the data breaches studied in the report. Human error as a root cause of a breach includes “inadvertent insiders” who may be compromised by phishing attacks or have their devices infected or lost/stolen </span>
<span style="font-weight: 400;">Entrenching a security conscious culture is therefore extremely important in today’s digital age. <a href="https://thecyberexpress.com/embracing-cybersecurity-awareness-month/" target="_blank" rel="noopener">Cyber awareness</a> is of utmost importance in today’s digital age. </span>
<h3>What is "Security Culture"? <span style="font-weight: 400;"> </span></h3>
<span style="font-weight: 400;">Security culture is the set of values shared by all the employees in an organization, which determine how people are expected to perceive and approach security. It is the ideas, customs and social behaviours of an organization that influence its security. Security culture is the most crucial element in an organization’s security strategy as it is fundamental to its ability to protect information, data and employee and customer <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-privacy/" target="_blank" rel="noopener" title="privacy" data-wpil-keyword-link="linked" data-wpil-monitor-id="4690">privacy</a>.</span>
<span style="font-weight: 400;">Perception about cybersecurity has a direct impact to the security culture. It could be either positive or negative. It’s deemed to be positive if information security is seen as a business enabler and viewed as a shared responsibility instead of becoming the <a href="https://thecyberexpress.com/cyberattack-on-change-healthcare-3/" target="_blank" rel="noopener">CISO’s sole responsibility</a>. On other hand it’s perceived negatively if security viewed a hindrance or a showstopper to business or production.</span>
<span style="font-weight: 400;">A sustainable security culture requires care and feeding. It is not something that develops naturally, it requires nurturing, relevant investments. It is bigger than just ad-hoc <a class="wpil_keyword_link" href="https://thecyberexpress.com/cyber-security-events/" target="_blank" rel="noopener" title="events" data-wpil-keyword-link="linked" data-wpil-monitor-id="4693">events</a>. When a security culture is sustainable, it transforms security from ad-hoc events into a lifecycle that generates security returns forever. Security culture determines what happens with security when people are on their own. Do they make the right choices when faced with whether to click on a link? Do they know the steps that must be performed to ensure that a new product or offering is secure throughout the development life cycle. </span>
<span style="font-weight: 400;">Security culture should be engaging and delivering value because people are always keen to participate in a security culture that is co-created and enjoyable. Furthermore, for people to invest their time and effort, they need to understand what they will get in return. In other words, it should provide a return on investment, such as improving a business solution, mitigating <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-risks-in-cybersecurity/" target="_blank" rel="noopener" title="risks" data-wpil-keyword-link="linked" data-wpil-monitor-id="4692">risks</a> associated with cyber breaches. </span>
<span style="font-weight: 400;">Culture change can either be driven from the top or be a bottom-up approach, depending on the composition and culture of the organization. A bottom-up approach rollout allows engaged parties to feel they are defining the way forward rather than participating in a large prescriptive corporate program, while support from the top helps to validate the change, regardless of how it is delivered. </span>
<span style="font-weight: 400;">In particular, a top-down mandate helps to break down barriers between various business functions, <a href="https://en.wikipedia.org/wiki/Information_security" target="_blank" rel="nofollow noopener">information security</a>, information technology, development team, operations, as well as being one of the few ways to reach beyond the technical teams and extend throughout the business.</span>
<i><span style="font-weight: 400;">Organizations that have a Strong Cybersecurity culture have the following: </span></i><span style="font-weight: 400;"> </span>
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Senior leadership support from Board and Exco that echo the importance of cybersecurity within the organization. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Defined a security awareness strategy and programme, including the Key Performance Indicators (KPIs). </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Targeted awareness campaigns which segment staff based on risk. Grouping users by risk allows for messages and the frequency of messages to be tailored to the user group. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">A cybersecurity champion programme which allows for a group of users embedded in the organization to drive the security message. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Usage of various of mediums to accommodate different types of people who learn differently. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employees are always encouraged to report cybersecurity incidents and they know where and how and to report incidents. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Creating an organizational culture where people are encouraged to report mistakes could be the difference between containing a cyber incident or not. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Measurements to test effectiveness: This is often done with phishing simulations. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employees have a clear understanding of what acceptable vs what is not acceptable. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Information security becomes a shared responsibility instead of CISO’s sole responsibility. </span></li>
</ul>
<h3>The below image depicts percentage of adopted awareness capabilities<span style="font-weight: 400;"> </span></h3>
<span style="font-weight: 400;">Security architecture principles such as Defence in Depth, the failure of a single component of the security architecture should not compromise the security of the entire system. A defense-in-depth mechanism should be applied to mitigate phishing related risks. </span>
<span style="font-weight: 400;">This approach applies security in different layers of protection, which implies that if one control fails the next layers of controls will be able to block or stop the phishing attack. The controls involve a combination of people, processes and technologies. </span>
<span style="font-weight: 400;"><a href="https://en.wikipedia.org/wiki/User_behavior_analytics" target="_blank" rel="nofollow noopener">User behavior analytics (UBA)</a> should be used to augment the awareness programme by detecting insider threats, targeted attacks, and financial fraud and track users’ activities. </span><span style="font-weight: 400;">Advanced our phishing attack simulations by using GEN AI based simulations should also be conducted to combat advanced <a href="https://thecyberexpress.com/walmart-most-imitated-brand-phishing-attacks/" target="_blank" rel="noopener">phishing attacks</a>. </span>
<h3>Possible Measurements<span style="font-weight: 400;"> </span></h3>
<span style="font-weight: 400;">There are several measures that can be applied to measure the level of a security conscious culture: </span>
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employees attitudes towards security protocols and issues. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Behaviour and actions of employees that have direct and indirect security implications. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employees understanding, knowledge and awareness of security issues and activities. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">How communication channels promote a sense of belonging and offer support related to security issues and incident reporting. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employee knowledge, support and compliance to security policies, standards and procedures. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Knowledge and adherence to unwritten rules of conduct related to security. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">How employees perceive their responsibilities as a critical success factor in mitigating cyber risks. </span></li>
</ul>
<h3>Conclusion<span style="font-weight: 400;"> </span></h3>
<span style="font-weight: 400;">According to <a href="https://www.gartner.com/en/newsroom/press-releases/2023-02-22-gartner-predicts-nearly-half-of-cybersecurity-leaders-will-change-jobs-by-2025" target="_blank" rel="nofollow noopener">Gartner</a>, by 2025, 40% of cybersecurity programs will deploy socio-behavioural principles (such as nudge techniques ) to influence security culture across the organization. </span>
<span style="font-weight: 400;">Recent human based cyber-attacks, together AI enabled phishing attacks, make it imperative to tighten human based controls. Promoting a security conscious culture will play a fundamental role in transforming people from being the weakest into the strongest link in the cybersecurity chain. </span>
<span style="font-weight: 400;">Building a cybersecurity culture is crucial because it ensures that everyone understands the importance of cybersecurity, adherence to the relevant information security policies and procedures, increase the level of vigilance and mitigate risks associated with <a href="https://thecyberexpress.com/protecting-against-data-breaches/" target="_blank" rel="noopener">data breaches</a>. Furthermore a strong cybersecurity culture fosters better collaboration, accountability and improved security maturity.</span>
<span style="color: #ff0000;"><strong><em>Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of <a href="https://thecyberexpress.com/" target="_blank" rel="noopener">The Cyber Express</a>. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. </em></strong></span>
https://thecyberexpress.com/fostering-in...y-culture/
<p><img width="1000" height="667" src="https://thecyberexpress.com/wp-content/uploads/security-culture.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="security culture" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/security-culture.webp 1000w, https://thecyberexpress.com/wp-content/u...0x200.webp 300w, https://thecyberexpress.com/wp-content/u...8x512.webp 768w, https://thecyberexpress.com/wp-content/u...0x400.webp 600w, https://thecyberexpress.com/wp-content/u...0x100.webp 150w, https://thecyberexpress.com/wp-content/u...0x500.webp 750w" sizes="(max-width: 1000px) 100vw, 1000px" /></p><span style="color: #ff0000;"><em><strong>By <a style="color: #ff0000;" href="https://www.linkedin.com/in/sithembile-songo-08695328/?original_referer=https%3A%2F%2Fwww%2Egoogle%2Ecom%2F&originalSubdomain=za" target="_blank" rel="nofollow noopener">Sithembile (Nkosi) Songo</a>, Chief Information Security Officer, ESKOM </strong></em></span>
<span style="font-weight: 400;">According to the Ultimate List of Cybersecurity Statistics, 98% of cyber attacks rely on social engineering. Social engineering and phishing attacks tactics keep on evolving and targeting a diversified audience form executives to normal employees. Advanced phishing attacks that can be launched using GEN AI. There is also a shift in motivation behind these attacks, such as financial gain, curiosity or <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-data/" target="_blank" rel="noopener" title="data" data-wpil-keyword-link="linked" data-wpil-monitor-id="4695">data</a> theft. </span>
<span style="font-weight: 400;">Recent attacks have shown that <a class="wpil_keyword_link" href="https://thecyberexpress.com/cyber-news/" target="_blank" rel="noopener" title="cyber" data-wpil-keyword-link="linked" data-wpil-monitor-id="4694">cyber</a> criminals continue to use various social engineering tricks, exploiting human weaknesses. Attackers are evolving from only exploiting technology vulnerabilities such as using automated exploits to initiate fraudulent transactions, steal data, install <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-malware/" target="_blank" rel="noopener" title="malware" data-wpil-keyword-link="linked" data-wpil-monitor-id="4691">malware</a> and engage in other malicious activities. </span>
<span style="font-weight: 400;">Furthermore, it is a well-documented fact that people are deemed to be the weakest link in the cybersecurity chain. Traditional security controls put more focus on the technical vulnerabilities as opposed to the human related vulnerabilities. Threat actors are transitioning from traditional system and or technology related cyber-attacks to human based attacks. The cyber criminals have identified and are now taking advantage of uninformed or untrained workforce by exploiting the human related vulnerabilities. </span>
<span style="font-weight: 400;">Employees often make it too easy by posting a huge amount of information about themselves, including daily status, activities, hobbies, travel schedule and their network of family and friends. Even small snippets of information can be aggregated together. Bad guys can build an entire record on their targets. Employees, especially those that are targeted, should limit what they post. Bad guys leverage on other weaknesses, such as the improper destruction of information through dumpster diving and <a href="https://thecyberexpress.com/totalrecall-tool-extracts-recall-data/" target="_blank" rel="noopener">unencrypted data</a>. The three most common delivery methods are email attachments, websites and USB removable media. </span>
<span style="font-weight: 400;">Properly implemented USB policies and trained users can identify, stop and report phishing attacks. Well-educated workforces on all the different methods of social engineering attacks are more likely to identify and stop the delivery of these attacks. </span>
<span style="font-weight: 400;">While malicious breaches are the most common, inadvertent breaches from human error and system glitches are still the root cause for most of the data breaches studied in the report. Human error as a root cause of a breach includes “inadvertent insiders” who may be compromised by phishing attacks or have their devices infected or lost/stolen </span>
<span style="font-weight: 400;">Entrenching a security conscious culture is therefore extremely important in today’s digital age. <a href="https://thecyberexpress.com/embracing-cybersecurity-awareness-month/" target="_blank" rel="noopener">Cyber awareness</a> is of utmost importance in today’s digital age. </span>
<h3>What is "Security Culture"? <span style="font-weight: 400;"> </span></h3>
<span style="font-weight: 400;">Security culture is the set of values shared by all the employees in an organization, which determine how people are expected to perceive and approach security. It is the ideas, customs and social behaviours of an organization that influence its security. Security culture is the most crucial element in an organization’s security strategy as it is fundamental to its ability to protect information, data and employee and customer <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-privacy/" target="_blank" rel="noopener" title="privacy" data-wpil-keyword-link="linked" data-wpil-monitor-id="4690">privacy</a>.</span>
<span style="font-weight: 400;">Perception about cybersecurity has a direct impact to the security culture. It could be either positive or negative. It’s deemed to be positive if information security is seen as a business enabler and viewed as a shared responsibility instead of becoming the <a href="https://thecyberexpress.com/cyberattack-on-change-healthcare-3/" target="_blank" rel="noopener">CISO’s sole responsibility</a>. On other hand it’s perceived negatively if security viewed a hindrance or a showstopper to business or production.</span>
<span style="font-weight: 400;">A sustainable security culture requires care and feeding. It is not something that develops naturally, it requires nurturing, relevant investments. It is bigger than just ad-hoc <a class="wpil_keyword_link" href="https://thecyberexpress.com/cyber-security-events/" target="_blank" rel="noopener" title="events" data-wpil-keyword-link="linked" data-wpil-monitor-id="4693">events</a>. When a security culture is sustainable, it transforms security from ad-hoc events into a lifecycle that generates security returns forever. Security culture determines what happens with security when people are on their own. Do they make the right choices when faced with whether to click on a link? Do they know the steps that must be performed to ensure that a new product or offering is secure throughout the development life cycle. </span>
<span style="font-weight: 400;">Security culture should be engaging and delivering value because people are always keen to participate in a security culture that is co-created and enjoyable. Furthermore, for people to invest their time and effort, they need to understand what they will get in return. In other words, it should provide a return on investment, such as improving a business solution, mitigating <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-risks-in-cybersecurity/" target="_blank" rel="noopener" title="risks" data-wpil-keyword-link="linked" data-wpil-monitor-id="4692">risks</a> associated with cyber breaches. </span>
<span style="font-weight: 400;">Culture change can either be driven from the top or be a bottom-up approach, depending on the composition and culture of the organization. A bottom-up approach rollout allows engaged parties to feel they are defining the way forward rather than participating in a large prescriptive corporate program, while support from the top helps to validate the change, regardless of how it is delivered. </span>
<span style="font-weight: 400;">In particular, a top-down mandate helps to break down barriers between various business functions, <a href="https://en.wikipedia.org/wiki/Information_security" target="_blank" rel="nofollow noopener">information security</a>, information technology, development team, operations, as well as being one of the few ways to reach beyond the technical teams and extend throughout the business.</span>
<i><span style="font-weight: 400;">Organizations that have a Strong Cybersecurity culture have the following: </span></i><span style="font-weight: 400;"> </span>
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Senior leadership support from Board and Exco that echo the importance of cybersecurity within the organization. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Defined a security awareness strategy and programme, including the Key Performance Indicators (KPIs). </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Targeted awareness campaigns which segment staff based on risk. Grouping users by risk allows for messages and the frequency of messages to be tailored to the user group. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">A cybersecurity champion programme which allows for a group of users embedded in the organization to drive the security message. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Usage of various of mediums to accommodate different types of people who learn differently. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employees are always encouraged to report cybersecurity incidents and they know where and how and to report incidents. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Creating an organizational culture where people are encouraged to report mistakes could be the difference between containing a cyber incident or not. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Measurements to test effectiveness: This is often done with phishing simulations. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employees have a clear understanding of what acceptable vs what is not acceptable. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Information security becomes a shared responsibility instead of CISO’s sole responsibility. </span></li>
</ul>
<h3>The below image depicts percentage of adopted awareness capabilities<span style="font-weight: 400;"> </span></h3>
<span style="font-weight: 400;">Security architecture principles such as Defence in Depth, the failure of a single component of the security architecture should not compromise the security of the entire system. A defense-in-depth mechanism should be applied to mitigate phishing related risks. </span>
<span style="font-weight: 400;">This approach applies security in different layers of protection, which implies that if one control fails the next layers of controls will be able to block or stop the phishing attack. The controls involve a combination of people, processes and technologies. </span>
<span style="font-weight: 400;"><a href="https://en.wikipedia.org/wiki/User_behavior_analytics" target="_blank" rel="nofollow noopener">User behavior analytics (UBA)</a> should be used to augment the awareness programme by detecting insider threats, targeted attacks, and financial fraud and track users’ activities. </span><span style="font-weight: 400;">Advanced our phishing attack simulations by using GEN AI based simulations should also be conducted to combat advanced <a href="https://thecyberexpress.com/walmart-most-imitated-brand-phishing-attacks/" target="_blank" rel="noopener">phishing attacks</a>. </span>
<h3>Possible Measurements<span style="font-weight: 400;"> </span></h3>
<span style="font-weight: 400;">There are several measures that can be applied to measure the level of a security conscious culture: </span>
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employees attitudes towards security protocols and issues. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Behaviour and actions of employees that have direct and indirect security implications. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employees understanding, knowledge and awareness of security issues and activities. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">How communication channels promote a sense of belonging and offer support related to security issues and incident reporting. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Employee knowledge, support and compliance to security policies, standards and procedures. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Knowledge and adherence to unwritten rules of conduct related to security. </span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">How employees perceive their responsibilities as a critical success factor in mitigating cyber risks. </span></li>
</ul>
<h3>Conclusion<span style="font-weight: 400;"> </span></h3>
<span style="font-weight: 400;">According to <a href="https://www.gartner.com/en/newsroom/press-releases/2023-02-22-gartner-predicts-nearly-half-of-cybersecurity-leaders-will-change-jobs-by-2025" target="_blank" rel="nofollow noopener">Gartner</a>, by 2025, 40% of cybersecurity programs will deploy socio-behavioural principles (such as nudge techniques ) to influence security culture across the organization. </span>
<span style="font-weight: 400;">Recent human based cyber-attacks, together AI enabled phishing attacks, make it imperative to tighten human based controls. Promoting a security conscious culture will play a fundamental role in transforming people from being the weakest into the strongest link in the cybersecurity chain. </span>
<span style="font-weight: 400;">Building a cybersecurity culture is crucial because it ensures that everyone understands the importance of cybersecurity, adherence to the relevant information security policies and procedures, increase the level of vigilance and mitigate risks associated with <a href="https://thecyberexpress.com/protecting-against-data-breaches/" target="_blank" rel="noopener">data breaches</a>. Furthermore a strong cybersecurity culture fosters better collaboration, accountability and improved security maturity.</span>
<span style="color: #ff0000;"><strong><em>Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of <a href="https://thecyberexpress.com/" target="_blank" rel="noopener">The Cyber Express</a>. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything. </em></strong></span>
https://thecyberexpress.com/fostering-in...y-culture/