4 common questions about security culture
For a long time many employees, including senior executives, thought of cybersecurity as a merely technical issue, one of those things that IT will handle for the company while all non-technical personnel can just carry on with their jobs. Thankfully, this mentality is changing (albeit slowly) and more and more companies are realising that it takes a village to keep threats away. One click in the wrong email could expose a company to threats such as ransomware.
In the past few months, we kept an open forum with Cisco customers, listening to their concerns about how to build a stronger security culture in their organisations and get everyone on board. Here are the four most asked questions and our suggestions to handle these challenges:
Gone are the days when we could keep a closed corporate network. Now we have laptops, mobiles and personal devices connected at the office and from remote locations. How can we control everything?
Start by focusing on a couple of things: visibility and enforcement. First, consider tools that will help you see who and what is connected to your network and make sure each person has the level of access that is pertinent to their role.
It’s important to not only see what is connected, but also how it is behaving. It’s by spotting anomalies that you can quickly detect threats and trigger remediation measures. There is where the enforcement part comes in. You can embrace remote working and BYOD but you also need to lay your ground rules. For example, you can allow the use of personal iPads for work, but only if the user accepts certain policies and installs certain things to protect their devices. They can use their laptops at the airport, but only if connected through VPN. You should not forbid people from doing the things that help them be productive; instead, think about enabling them to do it more securely.
Are employees the weakest link in the security of an organisation?
We often hear this question, but an organisation doesn’t exist without its employees. A company needs to be secure in part to allow employees to do a better job. Companies should not look at their employees as “the enemy” that you need to stop from doing something that will damage the organisation. There needs to be a relationship of trust, or you may end up with IT and security on one side trying to limit access as much as possible to minimise risk, and employees on the other side, getting crafty and finding ways to bypass the rules to perform their job (shadow IT).
Companies should look at how to educate employees so they don’t accidentally expose the company to risk; they should also enable employees to do their jobs more securely. It’s a partnership.
How do you tackle the mindset “I have nothing to hide, so I have nothing to protect”?
Many people justify not having strong passwords with a “Who’s going to want to read my emails?” but ask them if they would give you their bank card and PIN and I doubt any of them would. It is not obvious to everyone that all data, and not only financial data, has value. It can be used for profit, but it can also be used to damage your business. Everything is connected.
It may help to offer your employees some examples that they can relate to at a personal level. For example, someone could collect personal information about them on social media and have enough to pass all security checks and make a big transfer out of their bank account. Or a troll could guess their Facebook password and take over their account, just to message obscenities to all their friends.
In the same way, in a corporate environment, hackers could use employees’ personal information to plot a spear phishing attack or a business email compromise; or a disgruntled employee or competitor could expose corporate emails just to embarrass a company in front of their customers.
People sometimes don’t care about security because they don’t see the bigger picture. You gain access to that one system that “doesn’t matter” and all the sudden you found a way into the most valuable information a company holds. Once you manage to explain this logic, you will get more people interested.
What organisational changes need to happen to help build a safer IT environment?
Every organisation is different, but to change your security culture, think less about making organisational changes (ie. who reports to whom) and more about opening the lines of communication and aligning priorities on a regular basis. People need to talk to each other, simple as that. Some companies may try to set up these lines of communication by making org changes, whereas other companies may have a more horizontal org structure and still manage to have these regular discussions.
A couple of organisational decisions do help, though. For example, having someone accountable for security at a business level will help ensure changes happen from top down, as well as bottom up. For example, if your CEO truly gets the value of security, he or she will help drive these conversations internally at all levels.
It also helps to have someone who can bring the “technical” and “business” sides together. For example, executives care about business performance, so having someone who can explain to them why security issues can affect your business’s revenue and growth may help gain their support.
Do you have any other questions about security culture? Leave us a comment.