Culture Shock: Unravelling the Cyber Security Puzzle


“Oh no, we don’t do cyber security in my company” …is a sentence nobody says in 2020. For all business leaders and employees, having some awareness of cyber security is now a vital component to operating any modern-day organisation. But is it enough to recognise that cyber security is just something to be aware of? This blog looks at what it takes to build an effective cyber security culture in an organisation.

Everyone from the CEO to the night-porter must be aware and understand their role in how the company protects itself from cyber-attacks. It is noteworthy that companies with a healthy and mature cyber security culture, detect threats quicker and respond in a much more efficient manner. When everyone works together and understands their duty and the business’s capabilities that are underpinned by an effective incident response plan, the business becomes more resilient to any type of cyber-attack.

Let us now examine one of the most revered responses to a cyber-attack on record to see how a properly developed culture can protect a business. In 2019, a Norwegian aluminium and renewable energy company, called Norsk Hydro, was hit by a ransomware attack. During this attack, several thousand servers and PCs were rendered inoperable and the company held to ransom by the attackers. All 35,000 Norsk Hydro employees across 40 countries were affected by the attack and it is at this point, the company immediately enacted its prepared incident response (IR) plan. After an initial consultation involving the relevant stakeholders of the IR Team the decision was made to:

     1. Pay no ransom

     2. Engage a specialist incident response team to help restore operations

     3. Communicate publicly and openly about the breach

One of the key learning points here and is relatively rare in cases such as this is that the organisation responded to the incident with complete transparency. Once the initial response to the attack was complete, the company decided to hold a daily press conference to update people, investors, and stakeholders on the progress of the incident and provide a brief on the state of their current operations. The company also encouraged all members of staff to work offline as they had managed to set up a communication channel with their clients via their Facebook page as an alternate means of communication.

Another key factor is that Norsk had already adopted and had in place a back-up system to deal with incidents such as this, which meant that their main aim during the incident was to restore their backed-up data and clean their systems of any ransomware. The reason their approach was so successful and seamless was because they had practiced their IR plan prior to the attack and senior management and employees across the business understood the company’s cyber security procedures. They knew their role, they knew the alternative methods of operations and understood the changes that would have to be implemented when the attack took normal operations offline.

It all Starts at the Top

Norsk is a prime example of the type of approach that is required for successfully managing cyber security risk and incidents. They have adopted a top down approach to cyber security by highlighting the fact that cyber is a boardroom issue and not just an ‘IT issue’. Their cyber security professionals operate at boardroom level and have the power and support to implement cyber security policy and security changes across the business.

Building Relationships

In an ideal world, there should be a symbiotic relationship between the members of the board, Cyber Security, Human Resources, IT departments and Legal. This is a vital and necessary implementation as it ensures all the different security requirements are collected throughout the business and drives the security culture. Below are some examples of how different areas of the business can support cyber security culture:

1. Board Members- Need to ensure that they champion and support cyber security by giving the correct priority level to cyber security risk and provide the security team with enough resources.

2. Information Security Officer- Should possess the necessary expertise in information security and be able to align cyber security with the overall organisational strategy.

3. IT Department- Need to contribute their technical knowledge towards solutions that are effective yet not restrictive and support positive behaviour in terms of security.

4. HR- Can provide a connection between the management and employees by overseeing all of the staff facing practices and policy. Examples include raising awareness and enforcing cyber security policies.

5. Legal- Ensures that all practices are compliant with current legislation and define what can be asked of employees in terms of their contracts. For example, if the company monitors employee behaviour, the legal department can ensure that the monitoring falls within the boundaries of the law.

As you can see, the above requires careful coordination and planning to ensure all departments work together. By creating and encompassing an open framework for security and providing power to the person responsible for cyber security to enact their plan, it should ensure the company is agile and reactive to all types of cyber security threats.

Returning to the Norsk example, their approach to communication was to ensure everyone (internal and external to the business) always knew the current state of the situation, in terms of what had happened and what was going to happen. By doing so, Norsk ensured that everyone had the information they required to behave appropriately and give the security team the ability to resolve the incident as quickly as possible.

Understanding Risk

A good place to start embedding cyber security culture into a business is by understanding and subsequently managing cyber risk within the business. If managed effectively, the security of your organisation should begin to align with the overall business strategy:

1. Operational Risk – Is supported by cyber security implementation because of the reliance nowadays on the security of digital services such as email, software, remote access etc.

2. Legal Risk- Contractual and regulatory requirements require cyber security understanding to protect data (i.e. GDPR).

3. Financial Risk- Impacted by cyber security due to potential consequences of attacks such as monetary loss due to fraud or revenue loss due to services being offline.

4. Innovative Risk- Investing in new technology could allow you to maximise your revenue growth but by not taking into consideration security risks of new technology could leave you open to cyber-attacks. 

Returning to the Norsk case study and prior to the cyber-attack, they had managed their innovative risk by investing in the creation of back-up solutions to all their files and systems. A small investment in the grand scheme of things prior to that attack meant they were able to save almost all their data. The operational risk was also effectively dealt with as the company was easily able to switch to an alternate method of communication outside their standard network relatively quickly. This allowed them to continue working, albeit at a reduced operational capacity, which limited the financial impact to the business significantly.

Situational Awareness

In order to achieve the same level of proficiency as Norsk, you must attempt to gain buy-in from all the different areas of the business. Without a collective understanding, your security plan will have weaknesses within it. To help with this, you should research and maintain a list of all the differing threats that affect each of the departments throughout the business. By having this you will have a complete understanding of the difficulties faced by all aspects of the business. To begin, you could:

1. Carry out research into cyber crime in your sector by collating reports, publications, and statistics to support your research. Draw on high profile media stories, as this can help with presenting cyber security breaches and their consequences and then enable you to demonstrate how cyber security can make a difference to your organisation.

2. Use evidence collated by your IT department, such as reports, statistics from servers, and security tools identifying successful and unsuccessful attacks against the business. Then highlight the cost of these attacks if they had been successful, any indirect costs, and any loss production. This data can be used to support the cyber security programme within the business.

3. Run simulated attacks by picking specific areas of the business and targeting specific behaviours such as the number of people that click on a phishing email and highlighting the potential impact to the business.

Embrace Cyber Culture

You can embed cyber security within the culture of the business by considering your employee needs and current practices. By researching what employees want and how they behave can provide you with areas that need attention or have been missed in your security plan. The areas you then choose to improve should look to compliment the cyber security strategic plan and work in conjunction with current systems and technology. Some areas you could investigate include:

· The types of training topics you offer

· Cyber security awareness programmes

· How cyber security is being delivered to employees

· Resources provided to employees for supporting or developing cyber security

· Highlighting success stories and implementing a ‘Lessons Learned’ capability

One of the most important aspects of a cyber security culture is the creation of a receptive environment towards the concept. Employees must embrace and be confident with operating in and supporting the cyber security features of a business. The message and procedures must be clear and concise with no room for ambiguity. If someone is confused by the phishing reporting methodology, then it is most likely a further ten people feel the same but are unwilling to say anything.

Collaboration and feeling confident are key to building and establishing the culture and the responsibility for this lies in the leadership of the business. Like our very first point, it all starts at the top. If management embraces the culture, then it will make everything else fall into place relatively easily.

Here at Marclay Associates, we specialise in developing secure and great cyber security programmes for businesses. Our outsourced Chief Information Security Officer service can be tailored towards your requirements. If you would like more information on any of our services, please contact us on +44 2030 393 395, visit our website or email us at