Building a Security Culture
Why is it important?
What are the risks?
How do we build that culture?
The reason that IT security is important is twofold. First of all, more data is being kept electronically/digitally vs. keeping hard copies. As a result, more information is being kept in this format because it is easy. Plus, the second reason is that we have more sources to produce and collect the information. And that data is being retained for longer periods of time. Employee data, company intellectual property, customer information, processes, plans, financial information, forecasts, security footage, the sources of data are growing. Most of these data sets contains valuable info.
Without processes and protections, unauthorized people/companies/groups/governments could gain access to that information and potentially steal it, ransom it, sell it or generally cause a business disruption. A loss of the information could be costly in terms of value and/or reputation. I recently read an article and they stated that after a major breach or cyber-attack, more than 60% of small businesses go out of business within 6 months of the event (I believe it was an INC article, but also repeated in several publications). Pretty scary statistic.
What are the risks you ask? Potentially going out of business, risking reputation and/or $. There are a number of vulnerabilities that can be exploited. The 2 biggest risks are non-IT staff email plus browsing the internet and patching systems – servers, desktops/laptops, applications, and network devices. For our discussion, we are focusing on non-IT staff.
Which brings me to the question, how do we build a security culture? I believe one of the pillars to building a security culture is to build security awareness. And one of the best ways to build awareness is through training.
- End User Training – what are standard protocols for browsing the web, using email and working remotely.
- Phishing education – Some of the attacks are getting quite sophisticated. We really need to educate all levels of users what a phishing email looks like and how they work.
- Developer Training – Our software developers need to think about security for all the applications that the company is using. If changes are made to web application, is there security vulnerability
- Executive Management – If the security message is started at the top of the organization, it will more likely get attention and traction. Plus, executive management can have some liability regarding security
- Bring in an outside expert – Bringing in an outside can be effective in delivering the message and pointing out the importance to all facets and departments in the firm
- Talk about and socialize the idea of security
There are a number of sources of training programs that are excellent in this area. And the best part is the programs are incredibly effective. It is challenging to get the ball rolling and be consistent in delivering messaging. But once started purposefully building a “security culture” can have far reaching benefits to the company.