Security Awareness

Ending the Culture of Silence in Cyber Security

Nick Santora

Do you think every employee in your organization would speak up if they thought a phishing or cyber attack was looming? Are you able to have tough conversations about cyber security with your board or management team?

The term ‘Culture of Silence’ is more relevant now in cyber security than ever before. Add compliance into the mix, and you have a recipe for employees to stay quiet in fear of getting in trouble.

We’re here to break down why the culture of silence is becoming a growing problem and how to create a more transparent security culture.

Why do people stay silent when they experience a cyber attack?

Most people will experience a potential cyber attack or fall victim to one at several points in their career. It’s becoming common enough for each of us to have some kind of shared experience that everyone can relate to. So why wouldn’t employees want to speak up about this risk? Why wouldn’t they share the phishing threat they just dodged or even fell for?

Our research shows two primary reasons that I’ll break down:

  • People don’t want to look stupid
  • People don’t want to get into trouble

Think about it for a second: this isn’t really a new concept to us. If someone breaks into our house, we call 911 and they help. If we get in a car accident, we call medical respondents to help. If we are sick, we go to doctors for help. When these incidents happen, rarely do we just blame the victim, so why are we all being blamed for cyber attacks?

Well imagine leaving your door unlocked and wide open at your house, then it gets broken into. You wouldn’t feel great about that story and wouldn’t want to share the details with anyone unless you had to.

People don’t want to look stupid to others, so our natural defense mechanism is to stay silent.

This is what is happening with our industry. We are making extremely obvious and preventable mistakes. Of course, anyone would be embarrassed to admit a blatantly obvious mistake and this serves as no different. Our mission is to help those understand what those obvious and preventable mistakes look like and stop them from happening in the first place.

Employees shouldn’t be embarrassed to admit cyber mistakes or accept that if “it happens, it happens.” Cyber attacks will only increase as technology evolves. So it’s time to do something about it before things get worse. This is leading us to a culture of silence in fear of looking stupid in front of their peers, so silence wins.

People don’t want to get in trouble. We generally want to follow the rules. So when something happens that goes out of bounds, we get scared. We don’t want to get in trouble to protect ourselves. While this natural instinct is good for other things, it’s not great for security or compliance. We need to promote a culture that embraces reporting issues, a culture that’s founded on teamwork and confidence in others helping each other.

An awesome compliance and security program is built on trust. So we have to be able to trust our employees to make the right decisions when we are NOT looking at them. We have to trust that they report security issues. We have to trust that they will report a compliance issue. Trust is established when the fear of NOT reporting an issue is greater than reporting an issue itself.

While we promote that employees report phishing emails to their IT department that uses Curricula at work, for individuals, there isn’t a great place to report phishing emails. This leaves a lot of responsibility on the individual to feel like they are on their own. Your role as a leader is to encourage and endorse this behavior by showing how helpful it is in preventing attacks. Show your employees that you need their help to be successful.

Who’s most vulnerable to a cyber attack?

The short answer EVERYONE! Anyone with a password, email account, owns a phone, or has a presence online is vulnerable to a cyber attack. Nowadays it’s nearly impossible to find anyone that doesn’t have one or all of those criteria.

However, some demographics are targeted more than others:

  • Individuals over the age of 65: Cybercriminals will prey on vulnerable individuals that aren’t technologically advanced and uneducated in what cyberattacks are. Personally, my grandparents have been targeted on a number of occasions and even fell victim to a cyber attack.
  • Young adults: As a paradox, people under the age of 25 have a level of naivety and false confidence towards their comfort with technology and security.
  • Remote workers: Ever since organizations have gone remote, so has the increased risk of employee cyber attacks. Employees might be using their own infrastructure, WiFi and it’s harder to monitor everyone’s cyber practices.
  • C-levels (or people who work closely with them): The term spear-phishing pretty much describes the primary method of attack for this demographic. Messages can be tailored to be extremely believable.

All of these demographics have one thing in common, they’re unlikely to speak out about their experience unless they feel comfortable doing so. We need to create a culture of security and transparency to start sharing with each other.

Taking steps to build a security culture

Companies need to set the tone by encouraging employees to speak up, educating their employees with engaging security awareness training, and coming forward when their company experiences an attack. This might not only save you time and money, but also your organization’s reputation.

Cyber attacks are inevitable and the only thing that can prevent them is through education and sharing past experiences so history doesn’t repeat itself. The organizations that intentionally hide their cyber incident will only tarnish their own reputation, instead of realizing their mistake and doing something about it. This is a good stepping stone to cyber-attack transparency and becoming more aware of what we are really up against. Building a security culture is more than just talking the talk, it’s about walking the walk too.

How to create a cyber-safe workplace

For those of us who work in cybersecurity, we’ve all heard the stories from our friends, loved ones, and colleagues who tell us “someone actually tried to phish me,” then share a story when they encountered a cyber attack. So clearly it’s something that people not only need but also want to talk about. It’s just about making the first step to do that.

Here are our three (3) suggested actions you can do to help end the culture of silence:

  1. Sharing is caring: Being open with family, friends, employees, and employers by sharing stories about encountering cyber attacks will help mitigate and even prevent some from happening.
  2. Engaging Education: Educating oneself and employees on cyber best practices using fun security awareness training can. Even if you’re competent with technology, that doesn’t mean you know all the ins and outs of cyber threats — it’s not just phishing and can come in many different forms. Training topics should also cover ransomware, smishing, malware, passwords, social engineering, and many more.
  3. Build a culture of security: Employees have a tendency to hide out of fear of getting in trouble. This is a clear indication that there’s a lack of security culture. In order to build an effective security culture, there has to be an open line of communication between your employees, use engaging tactics to get employees involved in training and motivate your organization to work together.

The rapid increase of cyber attacks will only continue if people aren’t more aware of the threats they face. The consequence of a cyber attack is far more harmful than ‘saving face’ as an individual or organization. Let’s work together to break the culture of silence and inspire our employees to work together.

Start creating a more transparent and trusting security culture with your FREE Curricula account!

Ready to level-up your security culture?

Sign up for your Free Account. *No Credit Card Required.

© 2022 Curricula Group, Inc. All rights reserved.