A new need for a company culture of cybersecurity
Summary: Just like a fire in your office building, cyber-attacks are the 21st Century version of catastrophic loss to your business. Your first line of defense is awareness and avoiding the pitfalls behind the myths.
In the early 20th Century, the lack of fire preparedness resulted in catastrophic losses until building and safety codes were instituted as routine business. Just like a fire in your office building, cyber-attacks can disrupt operations, have real negative financial impact, and damage your credibility with your customers due to the perceived inability to keep their information safe, and the actual inability to respond to routine customer needs.
Prevailing myths about cyber security are contributing factors in the lack of cyber security preparedness. Let’s examine some of the more common ones.
MYTH #1: “I am not a target.” But if you have a computer and a bank account, you are a target.
MYTH #2: “It’s possible to be completely secure.” It is not about being completely secure but doing the things that make you less attractive as a target. It’s about being robust in your security instead of the unrealistic expectation of complete security.
MYTH #3: “I’m doing X (firewalls, antivirus, etc.), therefore I’m secure.” It’s good to have X, but you need a combination of things to be as secure as you can be. Remember: complete security is a myth.
Myth #4: “IT has it handled.” Do you really know how secure you are? Does IT know how secure you want to be and need to be?
Because technology has become pervasive throughout our organizations, attacks are also becoming pervasive throughout as well. Consequently, cyber security has become a business problem you cannot relegate just to IT or finance. And we also need to change the way security is “tolerated” only as long as it doesn’t interfere with normal business.
So, what does a Culture of Security look like? Well, it might look like a three-legged stool of awareness, action and attitudes.
Cyber security has to be embraced by the senior leadership and actively supported and nurtured, even lived by the senior leadership. Because these attacks can be anywhere in your organization, everybody needs to be educated about potential threats and how to recognize them.
SEE SOMETHING/SAY SOMETHING
It is unrealistic behavior to punish people when an attack happens. We’re better served to be proactive by cultivating an atmosphere based on action. “If you see something, say something” because you never know if it might be a potential attack. This needs to be prevalent throughout the entire organization because so many attacks use social engineering. For example, it might be an email that looks like it comes from your boss asking you to wire them money. So when one person in the company sees that and sounds the alarm, it will avoid someone else in the organization succumbing to it.
TOLERANCE FOR LESS CONVENIENCE
Such tolerance helps build robust security. Examples include more complex passwords that change periodically; multi-factor authentication such as tokens and fingerprints; and segregation of duties and access to information.
How do you get such a culture of security? There are a number of best practice frameworks to choose from. It is also helpful to find an expert who can help you instill a security mindset into your current culture by including security in strategic planning; communicating security-related information on a regular basis; and recognizing people who are doing a great job in being secure.
And, by the way, there is such a thing as a cyber version of a fire drill. Click here to check it out.