5 Steps to Create a Security Culture within your Organization
Introduction
We have a problem Houston...and its name is cybercrime. In 2017, we saw some of the biggest breaches of all time, including the Equifax breach, which left the company reeling from a 38% share price drop (1), and Verizon, where 14 million customer records were exposed. In the latest Ponemon Institute report, “Cost of Data Breach Study” (2), the average total cost of a breach was $3.62 million per organization. The report also went on to point out the far-reaching impact of a breach, such as the detection and remediation costs and time, as well as having to inform customers, with the knock-on effects of that on business reputation.
The Data Breach Investigation Report (DBIR) for 2017 (3) went into the detail of cybercrime and came out with some interesting information, including that over half of breaches involved malware and 66% of malware was installed from a malicious email attachment. Phishing remains, as ever, a popular choice for the cybercriminal, with 1 in 14 phished individuals falling for the trick. Phishing is successful because cybercriminals use our own behavior against us in a war of psychology. The report also pointed out that the password issue persists, as 80% of hacking is down to stolen or easily guessable passwords.
What should you learn next?
So, how do we stifle the march of the cybercriminal? We have to approach it from a technological perspective but also a human one, too. As stated, cybercriminals feed off our own behavior and use it against us. They trick us into performing actions which seem legitimate, but aren’t. It is this aspect that technological solutions cannot resolve and which need to be bolstered by drawing in the human behavior aspect. This can be achieved by creating a ‘security culture’.
5 Ways To Create a Security Culture
So, just what is a security culture all about? In a nutshell, it is based on the adage “know they enemy”. If you know what you are up against, you can put procedures in place to protect yourself. A security culture is one that incorporates everyone who is involved in an organization - this may well extend to business associates, and in some circumstances, customers; certainly, some aspects of a security culture can include customers, for example, educating customers about phishing emails can be seen as part of the overall culture of security your organization develops. A security culture is helped by the use of security awareness training (4) and a positive attitude, driven from the top down, towards embracing security. Below is a list of the top 5 areas that you need to consider when building a culture of security in your organization.
- Education, education, education Knowledge is power, and education on cybercrime and typical attack scenarios is a crucial part of any security awareness training program. Security needs to be fostered and fed, and so the ethos of training should be done using a top-down approach. Management needs to be the advocates for the training, themselves taking part in its development as a company policy. The education around security needs to be extended to everyone that could pose a risk to your organization – this includes all staff, contractors, freelancers, consultants, third parties (such as suppliers), and even customers.
- Your company needs you! Security is everyone’s problem. Any one of us can become the weakest link in an organization's cybersecurity defenses; the finger that clicks on the malware package, the person who reveals their password to what seems like a legitimate site. A holistic view needs to be taken where everyone recognizes the part they play in the culture of the company and the impact they personally can have on security. Understanding security issues cuts across the entire organization, from having a clean-desk policy through to developers and DevOps understanding the importance of secure coding and security logs.
- Security bootcamp Security awareness training and simulation exercises give the vital first-hand experience needed to learn and understand where the risks lie. A security bootcamp can be created that utilizes a mix of classroom-based formal training, with real-life simulation exercises that train people to spot security problems. Security bootcamps should cover all aspects of security from phishing and online security to desktop security to physical security. Phishing simulation should be done regularly, but also randomly, to create more natural scenarios. People are your best asset, and they can also be one of the greatest security assets too.
- The rewards of a job well done Security awareness training and the culture it instills are measurable. If you incorporate quizzes and other measurement activities, make them fun and offer rewards for a job well done. Create a system that rewards and encourages security best practices, but conversely, don’t use poor outcomes by an individual as punishment. Instead, focus in on how to improve a program - after all, we are all different, and different styles of learning suit different types of people.
- Security mindfulness Employees should feel empowered after receiving the training and knowledge to help play their part in preventing a security breach. A security culture is a state of mind, and if done correctly, can become part of the way of life at an organization, sitting alongside the general day-to-day business. But it should always be remembered that a culture of security is part of an ongoing process. Cybercriminals rarely sit on their laurels. They develop new and more sophisticated techniques to trick us. All of the elements of a security culture need to be cultivated as part of an ongoing process. Training should be regularly repeated, whilst keeping the random aspect of phishing simulations. Becoming security mindful will make the act of security normalized.
Making 2018 The Year Of Security Culture
It is likely that 2018 will see as many, if not more, cyber attacks against organizations of all sizes and types. Many of these attacks will begin with the manipulation of our own behavior by the cybercriminal. To address this, we must fight fire with fire, and build defenses using our greatest asset - our people. A culture of security is about addressing insecure behavior and encouraging secure thinking. In doing so, you can build an encompassing ethos that will protect against some of the most common attack methods like phishing, potentially saving your company money, reputation, and ensuring that compliance requirements are met.
Sources:
- Market Watch, Equifax Share Data: https://www.marketwatch.com/investing/stock/efx/charts
- Ponemon Institute and IBM, Cost of Data Breach Study: https://www.ibm.com/security/data-breach
- Verizon, 2017 Data Breach Investigation Report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
- Infosec Institute, Security Awareness -- Definition, History & Types
In this Series
- 5 Steps to Create a Security Culture within your Organization
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security