Beyond IT: How to Create an Organization-wide Cybersecurity Culture

Many organizations think of cybersecurity as strictly in terms of information technology (IT): Lock down the data, the assumption goes, and all is well.

But threats aren’t always external – some come from within the organization. In 2017, 28 percent of attacks involved internal actors1, and 33 percent of employees have not received any form of cybersecurity training.2

Employees may unintentionally cause data breaches by clicking on a phishing email or inadvertently downloading a malicious document or access a link on their work computer that allows hackers access to your system. Faced with such challenges, credit unions must make cybersecurity part of the company culture. CIOs can kickstart these efforts by engaging each business unit’s leaders to discuss which cybersecurity threats most concern them and finding ways to create a comprehensive approach to minimize risks associated with employee-related cybersecurity threats.

Consider these four essential components of a good employee-related cybersecurity plan:

1. Awareness

To help companies safeguard data, employees must first know what the threats are. First, help them understand data classification and the difference between public and confidential data. Then, from phishing emails to malware to social engineering, teach employees about the tools of cybercriminals’ trade. Communicate your cybersecurity efforts and encourage managers to reinforce cyber threats in their interactions with employees. It may be worthwhile to create a monthly cybersecurity update detailing the latest security threats. Checklists and “cheat sheets” may also help them understand the steps they can take to safeguard the organization from cybercriminals. CUNA Mutual Group’s Protection Resource Center has a variety of cyber risk and security resources available at (UserID/Password required).

2. Training

Surprisingly, just 68 percent of organizations provide data protection awareness and training programs for employees.3 This can be an invaluable tool in helping employees adopt better cybersecurity practices.

Once employees have a foundational understanding of the threats, create situational or behavior-based training that improves their cyber-awareness. Highlight scenarios that should be red flags, such as what to do if they receive an email message that invites them to click on a link. Behavior-based training can be as simple as teaching employees whom to contact to find out how to secure a new device in a “bring your own device” (BYOD) network environment.

3. Accountability

In addition to making cybersecurity training part of the onboarding process, include continuous cybersecurity-related activities even in performance evaluations. Performance reviews often are tied to bonus and compensation, so incorporating cybersecurity data or observed behaviors as a benchmark may compel employees to abide by the company’s best practices.

4. Vendors

Third-party vendors are a critical part of your team, but they also pose their own risks. In fact, 59 percent of organizations report having had a data breach caused by a vendor4. Verify that organizations with which you do business have the same threshold of cybersecurity as your credit union. This includes understanding the steps they take to protect your data, as well as their own. Ask about cybersecurity protocols and risk management regularly to help ensure that your vendors are vigilant in learning about and preventing emerging threats.

Beyond tech tools and policies, addressing the potential threats that employees pose can help you minimize inadvertent breaches and assist your team in keeping credit union data safer. To learn more about how you can mitigate your cybersecurity risks, see our new infographic and sign up for our 3-email educational series today.

Related Articles

Cyber Security: Millions of Dollars On The Line

Credit unions are moving to buy cyber insurance policies to protect their data, including CUNA Mutual Group.

Reducing Third-Party Cybersecurity Risk: It’s All About Vigilance

Without proper due diligence third-party vendors can put your member’s data at risk

1 Verizon, 2018 Data Breach Investigations Report, 2018. Web. 14 May 2018.
2 ESET. Web. ESET Survey Reveals Nearly One in Three Americans Receives No Cybersecurity Training in the Workplace, 1 May 2017.
3 Ponemon Institute, Fifth Annual Study: Is Your Company Ready for a Big Data Breach?, February 2018.
4 BusinessWire, Opus & Ponemon Institute Announce Results of 2018 Third-Party Data Risk Study, 2018. Web. 15 November 2018.

CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Cyber policies are underwritten by Beazley Insurance Group or other nonaffiliated admitted carriers.