How to Create a Company Culture of Security
Cyber-security firms are consistently talking about securing the Internet of Things, analyzing the latest hack or trying to sell you on the latest and greatest tool. Oftentimes, this makes you look at the newest security software to put in place (which we recommend you do) or increase the number of pen-tests to ensure your systems are in optimal condition. What you may be missing is the most common source of exploits and vulnerabilities—the people in your company currently using the devices, apps and more on your network. Surely they went through initial training and are aware of best practices? But what hasn’t stood the test of time or fell to the wayside over months? Even years? Have we gotten lazy with training or holding our employees accountable to practice safe security of company data?
There is a tool, app or remedy for just about anything these days – but there are some things money can’t buy. Sometimes we have to look internally. And by internal, we mean your staff and the internal security processes you have in place. You can add all the tools in the world to your system but it can’t fix the humans that don’t live in a cloud or server. No matter how many systems you put in place, there is nothing that can control human error.
Today, we want to look beyond security solutions. Let’s look at some internal best practices that need to be executed—just as much as the firewall – in order to stand a chance against bad actors. Here’s what I recommend:
Conduct regular training on the ways bad actors can get into your organization
As new ways of hacking or new data breaches become known, share them! Oust the bad-actors by revealing their “secret” ways of breaking into systems. Knowledge is power and the information should be shared in order to protect your customers, employees and data.
There are many ways to go about this. Have you heard of a new breach? Has your email, bank or favorite game been obtaining information from you illegally and without your knowledge? Most often there will be an article or email sent out to customers or users where the details will be shared. Take it a step further and share that information with those you work with. Then, ask yourself if there is an opportunity for improvement in your business? Be proactive and use the woes of other organizations to better equip yours!
If possible, set up test environments for your employees. Security tools, like Core Impact, can test your organization and see if people respond properly to phishing emails, scam offerings or other seemingly “easy” methods in which your system can be breached. Reward those employees that pass your test and use this as a time to educate in order to avoid the real thing.
Reminders to change bad habits
Determine what methods work best for your organization. Yes, you might have initial training for onboarding employees. But should it be expanded to a yearly training or overview? Would quarterly even work best at the rate in which things seem to evolve? Depending on your industry, business or tools your company uses, there might be different protocols – and that’s okay. What’s not okay is for things to be on a one-and-done schedule.
This could be as simple as having to change your password on a routine basis. Even seemingly small initiatives can help start the process of creating a culture that is aware and involved in securing your company and its data.
Lead by example
If those that work in your IT or IS departments don’t consistently practice what they preach, it will be difficult to set a precedent. Think about your C-level members too. The ones acting as the face of your departments, let alone your company, need to actively participate in this initiative. If not, then it will be hard to get everyone on board.
However, there are right and wrong ways to go about this. If people aren’t participating because it’s not feasible for valid reasons, then the initiative needs to be reevaluated—not ignored. Get to the bottom of what’s blocking people from engaging and see if there is a compromise—that won’t compromise the company’s security. On the other hand, if people don’t engage with the security measure out of laziness then that is a behavior that needs to be corrected. Empower your employees to help implement change as opposed to making them feel as if it is a burden or hassle to them.
At the end of the day, everyone’s goal should be the same. Everyone wants to keep the data within the office, and beyond, safe. Though, it only takes one person to bring down an organization by engaging with the wrong thing.
As it’s early in the year, start setting the precedent now. Revamp the current security strategies in place, talk to your employees about the gaps in security measures and set yourself up for a safe and happy new year.
For more information about ensuring your systems are in optimal working condition, check out our security services page if you need help getting started.
Download "Corporate Risk and Due Diligence in the Cyber Threat Crosshairs"
Discover how the current cyber environment is increasingly hostile to organizations, why legacy cyber defenses fall short in protecting businesses today and how to improve your security posture against critical infrastructure attacks.