Building a strong security culture
Corporate culture is soft, squishy and hard to describe. It’s also vital to your company security. How do you manage it?
Culture is perhaps one of the hardest things to change in an organization. It’s soft and squishy. It’s the kind of thing that can’t easily be articulated on a spreadsheet. Yet without the right culture, a company can quickly veer into the weeds.
Good culture underpins everything from customer service through to product development and employee retention. It also underpins one of today’s most pressing business governance problems: information security. How can we create a culture of security that helps protect a company from harm?
The European Union Agency for Network and Information Security (ENISA) makes the case for developing a cybersecurity culture in a report published this month. Its Cyber Security in Organizations guide argues that most data breaches stem from human action (or inaction).
You can put technologies in place to secure your organization, and you can threaten and cajole employees into paying lip service to security, but these measures bring limited value. Only by creating the right mindset among its people can an organization truly create a secure culture.
Where do you begin? Understanding basic cybersecurity hygiene is a good starting point. This is the basic common sense that many people acknowledge in theory but don’t adopt in practice, such as using two-factor authentication, keeping software patched, and using anti-malware tools.
In many cases, these will include measures that your technology department must enforce. There are many authoritative sources of information on this. The US Secret Service advises on it, and the UK’s National Cyber Security Centre has a ten-step guide. Take your pick between most government or industry-approved guides. This isn’t rocket science, and you’ll find lots of overlap.
Getting employees to sit up and listen
The tricky part comes in getting people to do it. Cybersecurity hygiene isn’t just about technical practice; it involves people, too. Ideally, companies will educate their employees in secure behaviour, such as being careful about what attachments they open, not taking company data off-site, and not giving out sensitive information.
Not all education is equal, though. Researchers from Oxford University and University College London have investigated why cybersecurity awareness campaigns fail to change behaviour. One problem is that threats don’t work.
Sitting people in a room and finger-wagging will turn them off, just as it did at school. Instead, they advocate tying security awareness to employees’ personal values, explaining how it can make them a stronger, more reliable employee – a strong link in the chain.
Education goes hand in hand with a formal information security policy. Companies are lagging here. 56% of 1,350 companies surveyed across several countries in NTT’s 2017 Global Risk-Value report had one of these, leaving many companies without clear guidance.
At least the UK led the field here – 72% of companies there claimed an official policy – but that still leaves more than one in four flying blind when it comes to giving employees a consistent message.
Here’s another thing about people: They just want to get the job done. Balancing usability and security is key. Make security measures too obstructive and users will find their way around them by sharing passwords and other risky behaviours. To get employees on board, understand what they’re facing every day and design around it.
Be a leader
All these tips point to one thing: strong leadership. Without executive support, companies tend to drift as culture develops haphazardly. PWC’s 2018 Global State of Information Security survey showed that only 44% of corporate boards actively participated in a companies’ overall security strategy. If leaders won’t advocate it, then why would anyone else follow?
Effective leadership goes beyond that, though. It involves not trying to impose culture at a distance. Empathy for employees is a huge part of the equation. If they don’t feel heard or respected, they are unlikely to support the cultural changes you’re hoping for.
With that in mind, here are some takeaways from the ENISA report that will help you create a secure culture.
Understand your business. Begin with a thorough assessment of your company’s existing values and practices. What are people already doing, and why? What risks are they creating?
Set your goals. What do you want your secure culture to look like? This will be based on a risk analysis that highlights the biggest potential threats to your organization and their impacts, and it will vary by company profile.
Conduct a gap analysis. By measuring the current security culture against your ideal, companies can perform a gap analysis to work out what needs to change.
Run and review. Select an activity that supports those goals, such as an anti-phishing awareness campaign or clean desk policy. Run the activity and measure its impact. Review the results and factor them into the next activity you try.
That’s the thing about building cultures. There’s a lot of trial and error. Companies must expect to experiment and fail along the way. How will you know when you got it right? Every day you avoid becoming the subject of the next data breach headline, consider it a win.
Infosecurity Europe takes place 5-7 June 2018, Olympia, London