December 8, 2016

Avoid these pitfalls to strengthen your security culture

There’s no denying it – every company, no matter the size, industry or geographic location, will experience a cyber attack. Not only are hackers getting more creative about how their attacks are engineered and carried out, but the motivation behind them has evolved beyond financial gain. From political persuasion to personal vendettas, the act of the breach itself has become somewhat inconsequential compared to the damage that can and does result once that data is in the wrong hands.

Because of these very real risks, companies are investing heavily in IT and data security – and they should be. IDC predicts that by 2020, more than $100 billion will be spent on security solutions. And while it’s true that technology is currently our best defense against cyber criminals, it’s by no means foolproof, and because of this, significant vulnerabilities remain. In fact, recent research from Accenture suggests that of the more than 100 targeted attacks the average company faces each year, one-third of those attempts will succeed.

In response, many companies are beginning to look beyond technology and internal processes/protocols to the employees themselves to close the security gap. While the idea of a sound security culture sounds promising, it can be extremely daunting to effectively implement and enforce. Part of the challenge involves achieving consistency across organizations and individual business lines. Another factor involves the wide swath of employees who must all practice and adhere to similar standards and best practices, despite significant differences in roles, skill sets and work styles.

As companies determine the security posture and culture that work best within their unique corporate environments, there’s one thing that most can agree on: the tone must be set by those at the highest levels of the organization, including the C-suite, board members, and directors. Not only must these individuals be involved with the creation of the actual information security policies/procedures, they must also follow these guidelines to a T, serving as an example for all others in the organization.

Security professionals who are tasked with not only protecting the organization against a litany of threats but also elevating the urgency of data-, cyber- and IT security issues to top executives, have a long road ahead of them. In order to create a strong security culture from the ground up, or to revisit existing practices, it’s imperative to avoid the following pitfalls to ensure success.

You’re Overlooking the Basics

For security professionals working in the trenches, it’s easy to assume that others in your organization understand basic security practices like you do. While you may know your organization’s security policies and procedures like the back of your hand, the reality is that most of your fellow employees have long forgotten what’s allowed and what’s not. This is a significant issue in organizations where employees work remotely and/or travel frequently for business and must stay connected to the office via mobile devices. In reality, if employees are not compelled to follow the rules, they will make up their own — and no one is guiltier of this than the C-suite and board members.

With human error and lost/stolen mobile devices at the heart of a growing number of data breaches, it is essential to develop or evolve security policies to ensure alignment with the needs and behaviors of today’s modern workforce. Updated policies need to cover the basics including appropriate use of Wi-Fi connections, best practices for shared workspaces, document access/sharing protocols, and procedures to follow should a phone, tablet or laptop get stolen or go missing.

You’re Not Investing in Training

If you’re banking on employees following your company’s security playbook on their own, think again. Many won’t read it to begin with and those who do are likely unable to understand its contents (and implications) without explanation. Yet, many companies are not investing resources and time into training and/or retraining workforces on proper security best practices. In order to develop a sound security culture, employees need to receive continuous training and retraining in order to increase the effectiveness of internal security and data protection programs.

In addition, as hackers employ increasingly sophisticated attacks and social engineering tactics to break into corporate systems, it is imperative that all employees — particularly those at the highest levels of your organization — receive training on how to spot and eliminate potential threats. For example, phishing attacks remain one of the most successful hacking schemes in use today, yet roughly one in four people are still unable to identify when they’ve been targeted. In order to decrease an organization’s overall vulnerabilities, all employees must be given the resources needed to improve their working knowledge of security issues, particularly as it relates to their areas of the business. Participation in industry conferences, webinars and other seminars hosted by experts in the field should be encouraged.

You Haven’t Given People a Reason to Care

Like it or not, any company that expects its employees to be security champions needs to give them a reason to do so. It’s no longer enough to tell employees that they have to care about security — you have to show them why they need to care. Thus, a one-size-fits-all incentive program becomes highly ineffective. If your organization has this type of effort in place, chances are it’s already falling flat.

Instead, companies need to ensure that incentives appeal to the wants and needs of different organizational groups. For example, at the executive level, an effective approach may be to focus on the role of security (or lack thereof) in terms of brand equity or financial performance. Other workforce segments may be swayed by bonus potential, job advancement or greater leadership/management opportunities. In this case, it is important to take the time to develop customized programs that reward security-minded behaviors in a way that will motivate employees to go beyond ticking the compliance checkbox. Companies may also want to consider adding security best practices as a competency in annual performance reviews as another layer of accountability for employees. Likewise, consequences must be enforced if/when secure behaviors are not followed.

You’re Using the Wrong Technology

There are countless technologies and services available on the market today that promises to protect every inch of the enterprise against hackers and other threat actors. Yet despite increased investment in and adoption of these solutions, data breaches remain at an all-time high, with cybersecurity threats increasing in persistence and severity. While most would agree that the use of innovative technology will be essential for fighting back against cyber criminals, it is equally critical for companies to apply the right solutions that will protect their unique environments and industries. Essentially, even the top “must-have” solution may not be right for the people, processes or data your organization needs to protect.

Take the board of directors, for example. According to Diligent’s research, nearly one in three U.S. board members uses free email service providers (ESPs), such as Gmail, Yahoo!, AOL and Comcast, to conduct business. As was recently demonstrated with Yahoo!, free ESPs can and have been successfully hacked, and thus, highly sensitive information shared at the board level is at risk of exposure as a result. Because board members typically sit outside of an organization’s firewall, even the most robust security solutions would not be able to safeguard against poor security best practices. Instead, technology specifically designed to secure board-level communication — such as a board portal — may be needed instead.

In a world where hackers and cyber criminals remain ahead of the curve, companies must embrace the use of smart technology solutions, modern security best practices and a people-powered commitment to reducing and mitigating threats that could infiltrate the enterprise. The stakes have never been higher, and everyone — from the break room to the boardroom — plays a critical role in securing our future.

About the Author: Brian Stafford is Executive Director, Chief Executive Officer & President of Diligent. Follow him on Twitter at @BrianKStafford.