SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Create a safer internet by building a culture of security
Wed, 7th Feb 2018
FYI, this story is more than a year old

Yesterday marked Safer Internet Day – a day that promotes the safe and positive use of digital technology. This year's theme “Create, connect and share respect:

A better internet starts with you" is a call to action for every stakeholder in the Internet community to play their part in creating a better, safer environment for everyone. So, who must we count on to spearhead the charge for a safer Internet?

Organisations bear huge responsibility when it comes to creating a safer internet

Over the years, technology, especially software-driven applications, have become increasingly ubiquitous in our society. Software controlled devices and applications are now the lifeblood of modern commerce and our critical infrastructure – the digital economy.

On a personal level, software powers a wide spectrum of functions. In Singapore, according to a 2017 study conducted by Ernst - Young (EY), consumers spend close to 13 hours daily on their digital devices. They depend on software applications on their connected devices to perform a wide array of activities, including online messaging, social media, news updates, gaming and work purposes.

When we consider the time that consumers spend on applications developed by businesses and government bodies, and the massive amount of personal, sensitive data that pass through these programs, it is evident that these organisations have a huge responsibility in creating a safer Internet by designing secure, reliable online services and content.

The human element of cybersecurity

In order for organisations to ensure a robust cybersecurity infrastructure, security must not only be built into software, systems and processes; it is also imperative for it to be incorporated into the organisation's DNA and ingrained into how its employees think, create, and connect.

According to various surveys on data breaches, humans can be the weakest cybersecurity link within an organisation. It was reported that 90% of data-loss incidents and breaches have a phishing or social engineering component to them.  Closer to home, approximately 40% of executives in Singapore reported that their organisations have fallen victim to phishing attacks, making it the most pervasive cybersecurity threat faced by organisations in the country.

Building a culture of security with organisations

To address this issue, organisations need to recognise that there are no silver bullets or quick fixes. It will require commitment and effort from everyone across the board; it will require them to build a culture of security within the organisation.

Here are four steps that enterprises and government bodies can adhere to instill a security-centric culture.

1. Building culture change on a solid foundation

The most important step that companies can take is to base their culture on a solid foundation of good policies.  The security policies must be what organisations need their employees to do.  They need to be easy to understand and implementable.  These policies are critical not only to ensure the organisation is protected, but also in building trust among customers and partners.

2. Make sure everyone is on the same page

Once organisations have their policies in place, they will need to socialise them and get everyone on board.  Training and continuous practice to do it over and over again will help build muscle memory.

We also do extensive testing.  If there are repeated failures, we require additional training. Finally, to help combat phishing attacks, we have started to include a notification that emails are coming from sources outside the company.

3. Bring it home

One of the best things a corporate security team can do to improve the culture of security is to provide tools for people to use not only at work but also at home. With today's mobile workforce, providing security tools while employees are on the go or including advice for protecting home activities  extends the message and may help make some of the greatest progress in building good security habits.

4. Accountability top-to-bottom

Company leadership needs to be ready to back up the security team when there are policy violations. A recent CA report found that 90% of IT and security professionals worldwide feel vulnerable to insider threats, with 51% of them stating that they are most concerned about accidental insider threats.

This comes as no surprise as in the current sophisticated threat environment, organisations can expect that someone will violate compliance with company security policies, intentionally or not. Besides phishing attempts, weak passwords, bad password sharing practices and unlocked devices have been cited as the biggest enablers of accidental insider threats.

Leaders need to be part of the security-aware culture, and be especially careful in following company policies. Their actions in this area will be watched closely, and if the executives show that they do not consider the company security policies important, few of their employees will.

Leading the charge to create a safer internet for everyone

As active members of the Internet ecosystem and the purveyors of software applications that form the bulk of our digital universe today, organisations shoulder enormous responsibility in ensuring the Internet is a better and safer for everyone.

By cultivating a culture of security, both government bodies and enterprises can prevent their employees from becoming a weak cybersecurity link and greatly strengthen their security posture.

This enables them to deliver services and content that people trust and can safely use with peace of mind.