The state of corporate cybersecurity is constantly in flux. With new threats emerging and multiplying quickly, the stakes are high for making sure company systems and data are always secure. According to the 2018 Cost of a Data Breach Report, the average cost of a data breach across industries and countries is $3.86 million, a 6.4% increase from 2017 and a nearly 10% net increase over the past five years. It is no surprise that business leaders are continually looking to lessen the risks.
Technology touches all employees within an organization, not just those in the IT department. Security is no different, with a commitment that trickles from the top on down. When talking about a company’s information technology and cybersecurity, the old nugget “You’re only as strong as your weakest link,” is 100% true.
Despite what some business leaders may believe, protecting an organization’s infrastructure and data doesn’t start or end with investing in a firewall. It starts with embedding cybersecurity into your company culture. At Radian, we view cybersecurity as an enterprise risk, not confined to just the IT department but a responsibility shared by all employees.
So how do we go about creating this culture?
A company-wide culture is created through good security hygiene and training for all staff members to ensure that cybersecurity practices are instilled in each individual from the CEO to the summer intern. Building this culture takes time and perseverance. Through my years of experience, I’ve cultivated a few steps to help create an effective culture around IT and cybersecurity.
AIM TO DISRUPT
Analyze the current culture first to see where your IT and cybersecurity efforts rank. Ask questions across the organization about good security practices to help the assessment. If a company’s IT and cybersecurity awareness is low, extra effort will be needed to change it for the better.
Being diligent and educating each employee about the importance of good security and the risks without it, is the first place to start.
The ultimate goal of this process is to empower employees to become aware and to begin to take small but important steps. Things such as not opening unfamiliar emails and attachments, or not adding unauthorized software or apps to computers can help lower security risks.
Without awareness, it is difficult to hold employees accountable for maintaining security both within the work place and in their personal lives.
By establishing a clear protocol that aligns with a company’s mission, businesses can focus on continued growth instead of being bogged down by cyber threats.
SECURITY SHOULDN’T BE A SECRET
Transparency is critical to the success of any IT and cybersecurity program. Keeping security efforts a secret from staff can hinder a business’ success. As stated previously, cybersecurity is not a standalone issue for only the IT department. It must permeate the entire company from the board of directors and senior leadership, all the way down to entry-level positions. All employees need to have a comprehensive understanding of the company’s security strategy and the important role that they play in keeping the company, and themselves, safe online. This includes online security when logging onto a company network both in the workplace and remotely.
TEACH GOOD HYGIENE
Just like teaching a child the importance of regular hygiene habits, instilling good security habits for employees wards off common threats. Company-wide cyber hygiene includes practices and steps that network-users of computers and other devices take to maintain a system’s health and improve online security. These practices are part of a routine to ensure the safety of both personal and company information that could be stolen or corrupted. A few key practices to include in the company hygiene checklist include: documenting and setting a standard for all hardware, software and mobile applications, analyzing the list of equipment and programs, and creating a common cyber hygiene policy.
But in addition to company hygiene, it also needs to take place on a personal level.
Keeping the staff safe ultimately makes the company safe. Looking for a meaningful and easy resource to keep employees involved? Radian installed a “doesn’t feel right” button on the bottom of every employees email. After viewing an email, if the employee feels as though this could be a potential cyber threat, they click the button which flags the email for the IT department for further review.
According to a report by Cisco, email phishing and spear phishing – sending emails from a known or trusted sender – are well established tactics for stealing users’ credentials and other sensitive information, primarily because they are very effective.
In fact, phishing and spear phishing emails were at the root of some of the biggest, headline-grabbing breaches in recent years. Two examples from 2017 include a widespread attack that targeted Gmail users and a hack of Irish energy systems.
In addition to looking outward for threats, employees should update their passwords using strong letter and character combinations, and keep all security settings and patches up to date whether that is on a laptop, cell phone or tablet. Just like they do with flossing their teeth, employees need to examine the tough “cracks” in cybersecurity such as immediately deleting any suspicious and unfamiliar emails and attachments. These emails and files can be littered with viruses that have the ability to corrupt the whole IT enterprise. Being able to examine and act on these potential threats will protect the data assets of your company. And of course, like the other common security adage, if you see something, say something. Viruses and threats can start anywhere so educate employees on how to identify threats and establish a protocol for how to report those threats to the IT department.
MAKE IT FUN
Lastly, the fact is, IT security isn’t the most fun topic to discuss. So, make it fun. Create quarterly trainings for all staff members, focusing on highly targeted hacker seasons, such as tax season, company quarterly earnings and the holidays.
Consider making a pop quiz contest for all employees to see if they can pass based on the IT facts that were sent to them. Or like Radian, send spoof phishing emails to see who bites. Falling for the fake scam offers a teachable moment that businesses hope will protect employees from a real threat.
An IT security workplace culture needs to be intentional. Think of it as an internal campaign. When drafting a campaign, be sure to keep it meaningful, easy, time sensitive, but also make it fun. Keeping these guiding principles in mind will keep employees engaged and empowered and ultimately, it will help stop threats before they begin.
Being sensitive to a colleague’s time is vital when teaching security lessons. With a full plate of daily tasks, reading endless reports and documents will most likely get pushed to the side versus becoming a priority. Be sure to keep the messaging simple by sending quick facts about trending IT security issues or current national threats to keep security top of mind.
For those leading an IT department, remember that IT security does not need to sit within the walls of an office, but should spread to all staff members within a company. Balancing the needs of a business against the exposure to threats is one of the hardest things for companies to do. If a company follows good hygiene and keeps IT security fun, an IT security culture will be built from the ground up in no time.