Cyber security is a concept that has been around for years. Yet studies show that the vast majority of us are still vulnerable to attacks. While technical security elements have come a long way, and must continue to evolve in order to remain effective, study after study show that people remain the biggest threat a company faces.
In fact, the CyberEdge 2015 Cyberthreat Defense Report says that “low security awareness among employees is the highest barrier to organizations being able to adequately defend themselves.”
Having a company culture that is actively focused on security takes more than creating a policy document. While a policy document is critical to defining what should be secured and how, without a business culture that is focused on implementation it will simply be a document sitting in a file somewhere.
Tips for Supporting a Security Culture
Create a Diverse Security Team
When you start to put together the team of individuals who will be primarily responsible for the implementation of cyber security policies within your organization, it is important that a wide range of departments and professionals be included to ensure that security can be understood as a priority that extends beyond the IT department. Choosing a security team that is only comprised of members from the IT department gives the illusion that security is solely IT’s responsibility. This can lead to segmentation in how security policies are enforced for different individuals and departments.
The 2015 Price Waterhouse Coopers Global State of Information Security Survey says that only 49% of organization whom have a security policy have a cross-organizational team that regularly convenes to discuss, coordinate, and communicate information security issues. That means that 51% of companies have taken the time to draft an IT security policy document and not considering implementing it and supporting it for future needs. Having a diverse group represented in the Security Team allows for concerns and threats to be discussed at from multiple vantage points in order to come to the most logical way to address the problem for the company as a whole.
Draft a Company Security Policy
The security policy document is what will be enforced as your company incorporates security into their every day practices. You should outline exactly what the security program is built to protect, and the ways in which you intend for them to be protected. In yesterday’s blog post, we outlined all the items to include in your IT Security Policy.
Implement an Awareness Campaign
Once your policies have been defined, creating an awareness program will facilitate understanding of the goals and priorities of the security policies. Get creative with your awareness campaign. Creating a fun, engaging program that people will want to listen to is the best way of getting the information to really stick.
Some great resources that we have used to help promote Cyber Security Awareness are:
- National Cyber Security Alliance Stay Safe Online campaign has countless resources, including:
- US Chamber of Commerce Internet Security Essentials for Business
- Printable Quiz: Test your Internet Security IQ Printable 10-question form
- Online Identity Risk Calculator
There are several other resources that are readily available online. See what is out there and decide how to use these resources to improve your security program.
Clearly Outline Current Security Shortcomings and Weaknesses
People like goals. Once the purpose of security policies within the organization are outlined, the best way to support it being incorporated into the overall culture of your business is to outline the specific weaknesses. If you tell someone not to share credentials, such as passwords or usernames, without a reason, they may not think that doing it every once in a while is a big deal. However, if you explain that internal misuse is the most common cause of security breaches, and that inability to effectively audit systems could result in the company being non-compliant with government regulations, the impact becomes clearer.
Communicate in Relatable Terms
When explaining security to your employees and managers, use terminology that helps them relate the security initiatives to their life. Talking about policies and programs and only using industry jargon or big picture can make it seem like the individual employee could cause no possible risk in their current daily routine. Communicate statistics. Show how the data relates to their personal life, not just the overall well being of the company.
Ensure Management Support and Focus
The road to any holistic change program within an organization is ensuring top-down support. This requires that management not only understand what is trying to be accomplished and why it is important to the company as a whole, but also provide model behavior for what security compliance should look like. Without management support, it will be hard to hold anyone else accountable for not complying with the security guidelines.
In light of the headline grabbing data breaches in recent years, effective security management must be a top priority for the organization as a whole. One of the best ways to get full support throughout an entire organization is to involve the Board of Directors. Board members can hold senior management accountable for ensuring that security is effectively implemented and maintained. This trend has started to grow in recent years, yet most organizations are not fully taking advantage of the power this could bring to the table. The 2015 PWC Global State of Information Security Survey says that only 25% of organizations claim their boards are actively involved in review of current security and privacy threats.
Consistently Enforce Security Policies
None of this will matter if the policies are not enforced. Consistent enforcement of the security policies will make people understand that the guidelines are not something that they can creatively get around. Ensuring that employees are not getting around them requires proof, which means that those who were identified as a member of the Security Team must check to ensure guidelines are being adhered to.
Effective policing requires both a carrot and a stick. Rewards should be given for employees who point out when something doesn’t seem right, locate weaknesses in the security system, and help the overall security posture of the organization. Similarly, employees who fail to comply with security guidelines must have consequences. These consequences should be outlined ahead of time in the training and awareness materials.
Focus on More than Individual Compliance Initiatives
Information security within an organization should be approached to cover any compliance regulations that your industry is held to, absolutely. However, in order to create a culture that understands the value of security initiatives, the overall security program must be about changing overall behavior.
The problem with only focusing on compliance requirements is that it can easily turn into a “checkbox” mental exercise for employees. In other words, users wont see the value in changing their behaviors; they will simply do what it takes to get through the audit. This can lead to the impression that the security policies only really need to be adhered at certain times, and most of the time it is acceptable to ignore them.
Require All Employees to Complete in-House Training Programs
In-house training is an absolute requirement to cultivating a culture that emphasizes the importance of security. And yes, this means that if you hire a new employee with endless security professional certifications, they still have to go through your training. In-house training is more than teaching people why security is important, it is about highlighting the risks that exist within your organization itself.
- Initial Security Program Launch Training – When the security program is first implemented, training should be done for all employees to be made aware. Expectations should be clearly outlined and employees should sign a document acknowledging that they have received the training/ information and clearly understand the expectations.
- New Employees – All new employees should be required to complete security awareness training as a component of their on-boarding. Paperwork illustrating that the training has been completed should be kept by HR.
- Recurring training throughout the year – Training should not be a one time and then left for employees to forget about. Regular training should be done to remind employees of the importance of the security initiatives. This should be done at an absolute minimum of once a year, but twice a year allows for smaller doses of information to be spread out.
- Have Disaster Recovery and Business Continuity Training Exercises – These should be conducted sporadically, and should be separate from the IT Security Training programs themselves. For a list of ideas, check out our blog post of the ultimate disaster recovery testing exercises.
Keep the training fun and light-hearted, while still being informative. Having these constant refreshers will allow for security to become almost second nature to employees.
Update the Policies Regularly
An effective security program should evolve as often as the threats do. Cyber threats are changing at an alarmingly fast rate, and programs have to stay current to be able to protect themselves against new or emerging threats. The Security Team should discuss new threats to the organization and effectively communicate them in each training session that employees attend. If policies that were initially defined are not performing as expected, alter them.