No one will argue the importance of a security strategy to protect a company against ever-evolving cybersecurity threats. Yet, getting buy-in from an organization’s stakeholders can be difficult due to staff that is stretched too thin and budgetary constraints. IT professionals have a double burden when it comes to making a case for security best practices. First, they need leadership to invest in security technology, and second, they have to convince employees that they’re part of the solution. With most people resistant to change, it can be challenging to foster a security-first culture, but it must be done.

When seatbelts were first introduced in the 1980s, only 14% of Americans regularly wore them despite the fact that the National Highway Traffic Safety Administration (NHTSA) required them in new cars as of the late 1960s. Even though seatbelts could save lives, they were met with tremendous resistance and the belief they were an infringement on personal freedom. Eventually, drivers and passengers alike accepted the life-saving device and no one questions wearing them today.

Engage employees in security awareness training

The same concept of changing mindsets applies to engaging workers in security awareness training. Employees are the first line of defense, but often they’re busy with pressing work responsibilities and view these exercises as a chore or task. This is where a learning management system can help by offering dynamic security content to get personnel invested in keeping the company safe from cyberattacks. Companies can access a set of phishing campaign kits, video lessons and customizable simulations that test, train and measure employees’ security awareness level. Campaigns can even be automated to direct phishing simulations to specific groups and then reports are generated to measure results. Different campaigns and messaging can target specific people, and phishing simulations can be scheduled for specific timeframes to prevent staff from warning each other.

Additionally, to keep people interested in the exercises, it needs to be easy, short and visual. Typically, 15-20 minutes is the ideal timeframe so participants will remember what they learned. An online quiz should immediately follow the training to confirm comprehension and retention and offer a report that summarizes results. A key benefit of involving employees is that they will feel empowered and responsible for ensuring the organization’s security.

Implement solutions to get the job done

Adopting a security-first culture means realizing it’s people-first to counter threats. Single Sign-On (SSO) along with solutions for phishing and password management (password managers or vaults) can also strengthen an organization’s security posture. SSO boosts protection because users only need one set of credentials to log in to their applications.

Phishing continues to be a favored mode of attack and these types of emails are getting more sophisticated. Phishing prevention requires a comprehensive strategy that accounts for artificial intelligence (AI), email security and cybersecurity awareness training. AI-based monitoring software analyzes email communications for behaviors that include the devices’ external senders and employees, who and when they message, and from where. Profiles of trusted email senders are generated from the collected data and then used to compare incoming emails to these profiles to verify the sender and detect and prevent phishing attacks. Malicious emails are automatically quarantined, so recipients don’t get harmful messages.

Another tool that supports a security-first culture is a password management platform that offers client centralized password management. Employees who use emails, spreadsheets and even sticky notes to store or share passwords could lead to a compromise that can bring an organization to a standstill. Besides being unsafe, it also becomes difficult to locate them when needed. But as part of a password management offering, passwords and other confidential information can be safely stored and quickly accessed. Additionally, these solutions create permissions and audit trails to restrict sensitive data to authorized users only. With access control, it becomes transparent who is accessing and updating information, and who is using what passwords.

A layered approach is best

Besides engaging employees in security training and implementing tools to support efforts, it’s also essential to incorporate a layered approach that takes physical security into consideration. Physical controls limit physical access to IT systems, for example, locked doors. The server room is another area that should be protected with restricted access, video monitoring and even security gates.

As part of a layered security architecture, cybersecurity solutions should also provide regular vulnerability scanning, patch management and also monitor for compromised credentials. A security operations center (SOC) keeps round-the-clock tabs on an organization’s IT infrastructure — from its networks and devices to its appliances — wherever they may live.

It is also critical to have a business continuity and disaster recovery (BCDR) solution in case the day everyone dreads does come. A BCDR tool will help recover data and ensure the organization can get back online in a timely manner. Finally, key technologies should be automated to free up time to focus on more important tasks.

Creating a security-first culture starts with an organization’s people and that means they must be up-to-date on the latest threats by receiving regular security awareness training. To further strengthen security awareness, organizations need to invest in solutions for anti-phishing, identity access management (MFA, SSO, Password Managers), BCDR and approach security from a comprehensive, layered approach. The more measures in place — employee training, cybersecurity solutions and physical controls — the lower the possibility cyberattackers will find a way in and wreak havoc on an organization. And if they were to find a way and cause havoc, BCDR gives you resiliency to recover from the worst.