Security Culture: How Everyone Plays a Part in Keeping Your Organization Secure
We all know that digital threats are not solely a problem of technology. They oftentimes trace back to human weakness. Let’s remember Verizon Enterprise’s 2018 Data Breach Investigations Report, which found that phishing was the third most prevalent type of attack in all incidents and breaches recorded for the year. Together with pretexting, phishing also accounted for 93 percent of breaches, while email served as the most common attack vector in 96 percent of cases.
Verizon’s findings underscore an important point that all of us need to remember: to create a robust digital security posture, we must focus on the human element. Maurice Uenuma, a Strategic Account Manager with Tripwire, drove this point home in a recent blog post by explaining how improving security must extend beyond just hiring more security professionals:
“An organization cannot be secure until the entire workforce is engaged in reducing cyber risks. Each member of the group has the power to harm or to help, since each one has access to information systems, handles sensitive data, and makes decisions every day which maintain, erode, or strengthen the human “attack surface” of the organization. But most employees lack the interest or knowledge to contribute positively to the organization’s security.”
So what are we to do to address this all too human tendency?
In “Cybersecurity is Everyone’s Job,” the National Institute of Standards and Technology (NIST) explains that the answer lies in building a cyber-secure culture – an organization-wide ethos that emphasizes, reinforces, and drives behavior toward security. My main takeaway from this resource is that organizations all need the right mindset along with suitable training and awareness programs to support a cyber-secure culture. But it can’t just be a few employees who get the message because attackers will find the weak link. Everyone needs to help uphold the organization’s security culture.
What would this look like, in practice, you ask? While the IT and information security departments certainly play a central role, everyone in every department has a part to play in ensuring their company is safe from cyberattack. Obviously, there are too many departments to discuss here, but let’s look at a few to illustrate the concept, with thanks to the NIST’s guidebook for help.
Increasingly, blame for a data breach is going to the top of an organization. This helps explain why CEOs at Equifax, Sony Pictures and Target stepped down after their companies suffered a security event. Taking it one step farther, one U.S. Senator has introduced a bill under which CEOs would get jail time for failing to disclose privacy violations.
Due to this evolving legal outlook, but also due to an increased understanding of security risks and the possible impact on business performance, CEOs are getting more involved in digital security. According to Accenture’s 2018 State of Cyber Resilience report, two-thirds of CEOs and boards have the ultimate say for the organizational role of digital security.
A senior executive team is nothing less than the single most important factor in influencing awareness and fostering a security mindset. For them to live up to this responsibility, they must incorporate digital risk in their overarching strategic business plan by not treating it as a low-priority, isolated project, and by understanding its organizational impacts.
Executives can demonstrate to all employees the importance of security by role modeling best practices, and including security considerations in business planning and on-going conversations. They also need to take the lead on adequately funding digital security requests as well as ensuring that risk assessments and best practices inform the organization’s security policies.
Human Resources (HR) is in the unique position of managing a new employee’s introduction to the company. In this capacity, they have a responsibility to set expectations about security right out the gate. This team can include security training in new employee orientation and implement on-going refresher courses.
Of course, at the other end of an employee’s tenure, HR also has lots to do whenever an employee leaves the organization. In terms of digital security, one of the most important things that they need to do is to make sure these employees have returned all corporate devices in their possession and close their accounts. An employee can otherwise jeopardize the organization’s data security. We need to look only as far as Coca Cola and the Chicago Public Schools to understand the threats involved.
The HR team managing employee departure processes need to immediately notify Information Technology (IT) when it learns that an employee is leaving. They also must update not only their records but also corporate directories with the employee’s employment status in order to ensure a cascading series of permission changes across all platforms and applications.
Along the way, HR holds the role of guardian of employee data. The department has the responsibility of implementing the absolute best possible security mechanisms to prevent unauthorized access to the employee database. Finally, team members must be particularly sensitive to phishing and social engineering schemes that frequently target HR departments.
Marketing and the CRM Platform
Trust is everything in the business world. Once you’ve lost it, it’s hard to get it back. That’s especially the case when it comes to maintaining trust with customers.
Accordingly, those in sales, marketing, and communications need to protect customers’ information by sharing only necessary data and ensuring those details are secure. They also are responsible for protecting a critical company asset – the organization’s customer relationship management (CRM) platform, which includes destroying data when required to do so by the organization’s data retention policies.
In this case, security basics go a long way. For instance, these professionals can use strong passwords along with multi-factor authentication (MFA) and identity access and management (IAM) controls. In addition, it’s important to remove employees and vendors from the CRM platform as soon as they are no longer involved with the organization.
Marketing also in responsible for developing and, should it be needed, implementing a communications plan for a security incident. Instead of scrambling when disaster strikes, it’s far better to know in advance precisely what steps will be taken, in what order, for notifying employees, partners, customers, regulators, media, and the general public.
Every Employee Has a Part to Play
Every employee in every department has a role to play in keeping the company secure. At the very least this includes awareness of the risks and basic security practices, such as keeping an eye open for phishing emails, being wary of possible social engineering schemes, and using strong passwords. Here are a few additional examples of what specific departments can do:
- Finance has the responsibility of maintaining the confidentiality and integrity of sensitive financial data. They can also work with other business functions to develop plans for emergency spending in case of a security incident as well as consider purchasing cyber insurance for the company.
- Legal and Compliance can support the company’s security posture by minimizing the liabilities resulting from the company’s security culture and ensuring compliance with cybersecurity and privacy laws, regulations, and standards.
- Facilities, while mostly associated with protecting the physical plant, can help by integrating digital security with physical safety and security. For example, they can engage IT and operational technology (OT) stakeholders to identify risks that threaten the resilience of the organization’s industrial control systems and other physical systems.
Anyone Can Be a Security Hero
Mr. Uenuma does a great job highlighting the value of NIST’s guide for those of us looking to help create a security-conscious culture:
“This resource serves as a ready reference for all leaders who are interested in reducing cybersecurity risks by effectively engaging the workforce. It can also serve as an entry point for non-technical and non-security professionals who are looking for effective ways to do their part in securing the organization.”
That being said, it’s important to remember that a cyber-secure culture built on constant employee training, awareness, processes, and vigilance can only go so far. Every company also needs the right technology to block the ceaseless barrage of advanced digital attacks threatening corporate networks.