Instilling a culture of cyber security

Every company that sells cyber security technology markets how their tools will “defend”, “stop threats” and “protect”. There is no doubt that the technologies that exist today are quite incredible in helping fight malicious adversaries. However, the reality is that technology can sometimes cause a false sense of security.

Put simply, no technology exists today that is a “fire and forget” solution and every device has vulnerabilities that it cannot defend against. Despite great technology, new vulnerabilities and exploits are being found all of the time. And of course there is the human element: the reality is that the majority of breaches occur, not because of a technology failure, but because a person failed to be vigilant or did something they should not have done.

With a recent survey on technology-related security risks finding that almost two-thirds of public sector workers would not report a serious data-protection breach if they thought it would cause problems in their workplace, it is clear that employers could be doing more to improve the human element of data security. So, what can your business do to make sure that your employees are part of the solution, rather than part of the problem?

Make security-awareness a key part of your company culture from the top down
Unfortunately, there is still a wide disparity among organizations on the level of training and education for security threats. There is an assumption that providing employees with a policy or a couple of hours of training will suffice. While that does “check the box” for the organization, it really does not develop a culture of cyber security.

Take the focus away from how to get everyone in a training room for several hours or take an online course and move it to conspicuous frequent messages that people cannot avoid seeing or hearing. It is important to get the information out to everyone often – repetition is key. An always-vigilant mentality is what organizations need to focus on creating so that cyber security becomes a reflex.

A true culture of security needs to come from the top down. If the leaders of a business do not set the example it should come as no surprise that others will not see cyber security as a priority.

Start phishing
The first thing that any CIO or CISO should do is get a baseline about how well-trained the organization really is. This can be done by running a phishing and social engineering exercise or by bringing in a company who provides this as a service. I recommend this for two reasons. The first is that it will be eye-opening for business leaders to see just how many people fail the exercise. The second is that it will provide CISOs with the justification they need to support investment required for a formal program.

At the end of the day, organizations have a fixed amount of funding to spend and far too often training, let alone cyber security training, is much lower on the priority list. If the CIO or CISO demonstrates that 70 percent of their employees are unfamiliar with basic security practices, there is a very compelling reason to find the resources for additional education. None of these efforts are particularly time consuming or costly to do, but they encourage employees to think about how they are always a potential target.

Prioritize prevention over punishment
I firmly believe that individuals should not be disciplined for the first or second instances of cyber security breaches if they are genuine mistakes. We need to remember that the attackers are good at what they do! Instead employees that make security mistakes should get additional training to make sure it is not a lack of knowledge or awareness that is causing the problem. It is the organization’s responsibility to educate its employees and mitigate against the risks.

Get the basics right
An effective cyber security program always comes down to three things: people, processes, and technology. The people have to be trained and aware of the dangers that are out there and recognize that they are real. There have to be processes and policies that employees can use as the basis for how they behave. Finally there has to be technology in place to protect people from falling victim to security breaches and that technology has to be maintained by people with the right skills and resources.

Getting started is always a challenge, but failing to start is a guaranteed failure. It is not a matter of if something bad will happen, it’s a matter of when. Organizations that understand that their employees are the weakest link in the cyber security chain, and take steps to support and educate them, will stand a much better chance of protecting their business in the long-term.