By Haris Pylarinos, CEO at Hack The Box
Culture is what people do as a group without deliberation. It’s all about attitude and habits. This is seen in how corporate culture is born from the C-suite and policy, extending to the entire organization chart.
Security culture is the cybersecurity aspect of the corporate world. We look to company policy and business leaders to set the tone for how information is handled and how technology should be used.
If executives casually share their user account passwords with their assistants and receptionists, other departments will decide that it’s an appropriate method of conduct, weakening their security posture. That’s a bad practice. Passwords should never be told to another human being. That’s one example of many bad security habits that wouldn’t be emulated in an organization with a strong security culture.
Unfortunately, for many businesses building a strong cybersecurity culture is not a top priority, as security doesn’t lead to profitability early on. Most organizations ignore the issue until years down the line. The longer an organization procrastinates on security, the harder and more expensive it becomes to implement. It’s like the dishes: it’s very easy to do when it’s just one night’s worth. But if you wait too long, the sink fills up to a point where getting a takeaway seems like an easier solution – rather than actually dealing with the problem.
A security culture framework
A strong, carefully designed security policy is essential, regardless of an organization’s size or industry. But policy can be useless without enforcement.
Cyber threats are getting more sophisticated and destructive as the years go on. The human element is often overlooked when it comes to cyber defense. But people are a frequent attack vector for cybercriminals. Criminal groups generally don’t target an individual company, they find one easy technique and try as many companies as possible. Recently, they have started doing OSINT on cyber insurance companies that pay ransoms to get access to their clients and target them. Just because you are small or big, SME or Fortune-500, doesn’t mean you can not be a target.
Everyone needs to do something to bolster security. Security culture must always be a priority.
A strong security culture should become central to any corporate culture. Employees need to understand why using multiple factors of authentication throughout apps and networks is crucial. Everyone in every department and every role should understand how their actions impact the company’s cybersecurity posture as a whole. Everyone in each department should also be assigned a set of rights expressly set based on their business role. If anyone discovers a vulnerability or has any other sort of security concern, their input should be valued, welcomed, and investigated.
As Bruce Schneier says, “security is a process, not a product.” We can not take our security controls for granted. We have to do the everyday work of always making them better.
Building a culture of security
Many people think that cybersecurity is solely IT’s responsibility. Security culture doesn’t only apply to technical staff. Administrative staff, security guards, and janitorial staff play a crucial role in maintaining physical security. Customer service agents can be the gatekeepers to authentication credentials. Office staff, customer service agents, and other roles which deal directly with the public are often the first target for cybercriminals.
Security culture is not only a group effort. It’s also an effort that is built over time.
Security culture starts at the top, with policy and leadership. It then extends to all departments and employees. It’s an attitude that we share as a group, working together toward a common goal.
One of the scariest behaviors we see in business is when a company has zero security budget until ransomware or a major data breach hits. Then millions of dollars materialize to recover from the disaster. It all gets spent on extensive IT work, PR, and legal tedium.
An ounce of prevention is worth a dose of cure. It’s always much more cost-effective to invest in cybersecurity from the very beginning than to deal with cyber incidents in their aftermath.
How to avoid cyber threats
Don’t let your company become a statistic. Make news headlines for your quality goods and services, and avoid headlines that detail how cybercriminals extorted a hefty ransom from your organization.
Never underestimate the danger of reputation damage. Accountants can’t quantify it, but it will hit your bottom line, and it will hurt. Consumers, corporate clientele, and your supply chain will avoid doing business with your company if they think your organization has ineffective cybersecurity. No one wants their sensitive financial data in the hands of cybercrime groups.
I see the potential in people and organizations of all kinds. People want to participate in a strong security culture. They want to be shown how. Get started developing strong security policies and habits now, and your organization will be much more resilient in the face of the ever-evolving cyber threat landscape.
Every day, more and more organizations decide that today is the day they’re going to start prioritizing cybersecurity. We can do it. We can all improve cybersecurity as a team effort. Training, policy, attitude, and persistence are the key ingredients.