By Tracy Z. Maleeff
Sherpa Intelligence LLC
It is widely agreed upon by information security professionals that employees are the greatest threat to keeping data safe within an organization. Poor password practices, BYOD (Bring Your Own Device) policies, and even basic physical security are just some of the weak links that can put a company’s security plan in jeopardy. Rather than make the employees feel punished or burdened by taking security precautions, it’s best to create a culture of security within your organization so that everyone feels engaged and a part of the process. Create allies, not enemies.
Creating a culture of security within an organization doesn’t happen overnight. It’s a multi-pronged approach that can grow to become a part of the overall company culture and values over time. Here are some steps to take to put your company on the path to having a security culture:
- Defined Roles. Does your company have an Information Security Department? How about a CISO/CSO? (Chief Information Security Officer/Chief Security Officer) Is your security team the same as the overworked help desk members of the IT Department? A clearly defined role of who is responsible for answering users’ security questions will help your end users know where they can turn for help.
- C-Level Buy-In. Upper management and the C-Suite of an organization need to be on board with the message of security. If they need convincing, create a business case as to why creating a security department or purchasing security software is needed. Speak to them in their language of dollars and what makes sense for your organization. Find examples of how a data breach and bad security practices can cost a company a lot of money and how you can lose customers or reputation. Explain how “cybersecurity insurance” isn’t a cure-all, and that other measures need to be in place too.
- Approachability. Creating a culture of security means forming a trust with the users. Although it might not be in the nature of their personality, at least one person from the IT or Security Department needs to be visible and the “face of security” within a company. Have a liaison who offers security awareness training who can also take questions and concerns back to the tech departments, someone who understands both the user side and the tech side. People will be more comfortable coming forward with their security questions or problems if there is an approachable ombudsman at their service.
- Compassion. Security should not make someone’s job harder. Understand the daily work of your company’s users. Rather than admonish a user for clicking on a phishing email, say something like, “I can see how you thought this looked legitimate, but let me show you some examples so that you can spot a fraudulent email.” Empower your users and give them confidence. A significant number of employees will not report if they clicked on a phishing email out of fear of being fired. Understand what that user’s job entails, and give them guidance accordingly.
- Awareness and Education. None of the other above factors will be successful without an active and on-going security awareness and education campaign. The threat landscape is always changing and therefore the awareness and education need to be current and continuous. Demonstrate things like the perils of posting to social media from the workplace. Employees will take what they think is an innocuous “selfie” while at work, not realizing that passwords, proprietary information, or even the types of computer equipment used at the facility are clearly in view. Share information with employees that they can use on their own devices. Give your employees the benefit of providing them with security awareness and education that can be used in both their work life and their personal life. Cultivate good habits that can be used by them and give them confidence, not fear, about security practices.
There’s no sugar-coating it. Security is hard. There are constant threats and the bad actors and types of attacks keeps changing and morphing into new things. But, it’s not something that can be ignored. Companies need to adopt a holistic approach to security to make it a part of the culture of the company. Not one single thing on its own will protect a company from a breach, but multiple parts working together makes for a better line of defense.
Tracy Z. Maleeff left behind the world of law firm librarianship to seek out the white hot spotlight of the information security industry. She started an independent research business in early 2016 called Sherpa Intelligence, providing competitive intelligence, news monitoring, and social media consulting services, focusing on technology and Information Security. She is the Director of Social Media for her client, SCIP (Strategic & Competitive Intelligence Professionals).
Tracy earned a Master of Library and Information Science degree from the University of Pittsburgh. She was recognized with the Wolters Kluwer Law & Business Innovations in Law Librarianship Award in 2016 and the Dow Jones Innovate Award in 2014. She is a co-host of the PVC Security Podcast, Editor of the Advanced Persistent Security Network, and an editorial board member of the Business Information Review journal. Follow her on Twitter @InfoSecSherpa.