Exploring why culture is key to effective cybersecurity
Article by Aura Information Security's general manager Peter Bailey.
Cyber security is like a chain. The strength of your defences are often measured by the weakest link and in most cases this link is people. Human error, oversight – or plain old gullibility – are all a hacker’s dream. But, by establishing a pervasive cyber security culture this weak link can be hardened, heading off a good proportion of potentially successful malware attacks.
The ‘chain’ analogy is a good one, because just like there are multiple links in a chain, information security has several distinct yet connected components: technology, which can include hardware and software; policy, which covers processes and procedures; and people.
In modern companies today, taking care of the technology and policy links of the cyber security chain should be a given (if they are not a given, hard questions should be asked of those tasked with governance).
The trickier bit, by far, is addressing the people link.
A good deal of the reason for that is quite simply that people are people. We are all fallible. We make mistakes and we overlook things. We are routinely trusting by nature – and that trust is used against us by clever hackers.
We fail to update systems or we leave them unlocked and open (physically or virtually) or in the case of BYOD, we simply lose the devices by leaving them behind on buses, trains or in restaurants. We know and understand the necessity for information security at work and at home, yet we ignore it, often until it is too late.
2017 research conducted by Kordia, of which Aura Information Security is a subsidiary, showed that 41 percent of individuals in New Zealand businesses had been personally targeted by ransomware, phishing or malware in the last 12 months.
Further to this, a quarter of New Zealand businesses were impacted by NotPetya and WannaCry – ransomware attacks that preyed on the vulnerability of individuals.
The size of the business doesn’t impact its vulnerability, either. New Zealand businesses with 20 to 49 employees are just as at risk at those with 100 to 199 employees.
These statistics highlight why a cyber security mindset should become an ingrained part of company culture.
This mindset is one where employees all take responsibility for information security. They actively and intuitively seek to identify threats and protect corporate information assets.
They are vigilant, involved and aware of the risks, methods, types of attack and can readily identify attempted hacks or malware before it becomes a problem. Rather than a weak point in the chain, each and every employee knows the risks and plays a part in mitigating them.
Easily said, by all means. But how can businesses create a cyber security culture? Peter Bailey, General Manager of Aura Information Security, shares his tips on fostering a culture of cyber security awareness within your business:
Tone from the top
Like any organisational culture, it has to start from the top. Before getting staff members involved, directors first have to take cyber security seriously themselves.
They have to live and breathe information security and be seen to do so. In other words, when cyber security is a boardroom issue and policy is pervasive from the top of the organisation, only then is the rest of the company truly ready for it to become a part of the culture.
Education, training and awareness
This is one of the more obvious prerequisites for making people throughout your organisation security-conscious and a key aspect in making it a component of the company culture.
From the CEO to the person at the front desk, from the longest-serving staff member to the newest recruit – security training and awareness must become a regular feature of what the company does. The threat landscape changes constantly, which reinforces the necessity for regular communications, training sessions and awareness initiatives.
Kordia’s specialist cyber security arm, Aura Information Security, recently launched its e-learning tool, which is designed to provide businesses with the ability to educate staff whilst also identifying areas for improvement and a great option for training staff.
Having basic cyber security training as a part of employee training and / or new employee induction is a great place to start – in fact, it should be compulsory.
Ownership by everyone
Cyber security was once perceived as ‘an IT issue’. It isn’t. The way most hackers get into an organisation is through the least security-conscious people – and it doesn’t matter whether they do that through high-ranking employees or junior ones. An effective cyber security culture is achieved when everyone feels like it is their responsibility, because everyone does have a role to play.
Drive towards that by incorporating cyber security into the company vision and mission. Reinforce it through company communications. Make it a part of HR processes and company procedure manuals. Executives should demonstrate their own commitment to cyber security at every available opportunity.
Recognition and reward
An easy and effective way to drive a culture of cyber security is to identify and reward those who have sharp eyes and sound instincts. The individuals who identify odd-looking emails, dodgy TXT messages or should be recognised and given either a commendation or something a little more substantial. Whatever it is, they should be held up as an example – encouraging emulation by others.
Recognise those specifically tasked with information security, too. Your Chief Information Security Officer (or the person or people responsible for infosec in your company) shouldn’t be invisible. Security is everyone’s business, so everyone should be able to engage with the CISO.
Foster a sense of community
Use the Intranet or some other shared space as a point where information security news, updates, insights and observations can be exchanged. Make information security interesting and fun, so that people choose to engage and make it top of mind.
And make the company cyber security policies not only easy to access at any time, but also accessible so that everyone can understand it; by making the reasons behind the rules clear, too, your people are more likely to appreciate the ‘why’ of cyber security, rather than seeing it as a set of irrational restrictions.