We have seen a clear increase in cyber attacks targeting employees in public and private companies, and the number of successful attacks reinforces the impression of a "poor" security culture in Norwegian organizations and companies. Everyone can be attacked, but inadequate training and awareness of employees increases the risk considerably. One wrong click can give hostile states and criminals access to digital information and systems. The consequences are often large, measured financially and in terms of reputation - and ultimately affect larger parts of society.
Everyone has their own perception of what a "safety culture" is, and often adapts their approach to "safety" depending on the situation. You may be more vigilant at the office desk than when you surf at home in the living room, and in some roles you are more aware of safety than in others. In this post, we address "safety culture" in the work situation, but will also emphasize that you should maintain a good safety culture regardless of where you are and what you do.

To understand the scope of your business' "safety culture", you should look at the relationship of several factors. An assessment of whether the safety culture is "good" or not can therefore be based on an analysis of the employees:

- understanding of safety,
- knowledge of information security in general,
- attitude to the company's safety procedures,
- communication about the company's security,
- compliance with regulations and routines,
Knowledge of the unwritten safety rules and
- responsibility the individual employee feels for the safety of the company.

Seven tips we at Watchcom have to build a good security culture in your business:

1. Map the level in the business to assess where measures should be put in place
2. Complete exercises and training - in the same way that fire drills prepare the employees for a possible fire, drills in cyber security will provide predictability in the event of a cyber attack
3. Keep your business informed about new threats and trends, and how the company intends to secure itself against these
4. Keep your security policy up to date - make sure everyone in the business is familiar with the latest version and knows where to find it
5. Follow up on employees' practices and consider sanctions for non-compliance with policy
6. Clarifies the individual's responsibilities for safety
7. Allow for growth and failure - show that employees do not have to fear anything if they are affected by an incident, and lower the threshold for reporting incidents

People must become a central part of the security strategy, and by appointing "security ambassadors" who support and guide the employees, the management contributes to creating a positive organizational culture where security is an important element. Transparency about incidents and discoveries is important to remind us all that security is a team effort and that employees are the most important barriers to unwanted cyber attacks.

Culture has an enormous influence and can have a great impact on the information security of a company. Let's use the security month to establish security as part of the culture, and learn from each other's experiences. Then we do the same thing next month, the rest of the year, next year, and so on. This is how we can reduce the number of cyber attacks and make society safer for all of us.

Text written by Mark Stegelmann, Head of Consulting at Watchcom.