Now that technology is the very lifeblood of any successful enterprise, getting the people that work for each organization to use their tech safely has become a priority.
Technical and embedded process controls can take you so far, but every enterprise still needs many of their decisions and actions to be performed by people. When it comes to cybersecurity, we have all heard that people are alleged to be the weakest link. So, just what are organizations doing to make good cyber practices an everyday part of their regular activities?
A recent ISACA and CMMI Institute survey on cyber culture of over 4,000 infosecurity professionals from across the globe highlighted some of the initiatives many companies are embracing:
Most organizations understand the need to provide regular and relevant training to their people. One challenge is to lift that security training beyond a tick-box exercise as not all security training is informative, interesting or of value to the recipients. Sending out a very dry document full of rules with an acknowledgement has nowhere near the power of an interactive session full of relevant examples with questions to verify the recipients’ understanding.
According to the ISACA and CMMI survey, 66% of respondents report that improving the cyber culture has a direct benefit to reducing their security incidents and 65% think it helps improve customer trust.
When it comes to cyber culture, trust is an important principle. In my own experience, the culture in some countries can result in employees reacting negatively to incentives that work well in others. Try a phishing simulation in some locations and it may help improve security reporting and reduce any rogue clicks, but push that same practice into other countries and the effect can be to make the employees feel like they are being tricked by their own employer.
A further problem is that between recent changes to privacy laws, such as GDPR and the growing list of security practices to be aware of, the amount of information thrown out to regular staff can be overwhelming. In one case (many years back), a supplier of helpdesk services noted with dismay that staff would have to complete over 150 online courses before they could ever pick up a single call!
With some 80% of training now happening through online courses, it can be easy to forget the impact and message fatigue the recipients will experience if the number, length and content is unrealistic. A good tip here is to capture metrics on exactly what people have to go through in terms of their initial and regular training. What do they really need to know? Is your organization delivering that information as concisely, effectively and efficiently as possible?
One of the benefits of auditing security at so many organizations is that I get to see what works well – and what practices fall far short.
It is definitely better to train and provide information than not to provide it – but the organizations that really succeeded in embedding a strong cyber culture had similar traits. Here are some of the best practices observed:
Automate or embed controls wherever possible
You can tell people not to download and send vast numbers of personal records, but what works a lot better is to have controls in place to help ensure this is not something that is usually possible. Controls inside applications and settings on data loss prevention to block or inform users about prohibited transactions work well.
Make your security team accessible
Given security resource constraints and skills shortages, one of the biggest challenges can be that nobody outside of the most senior executive can communicate with their security function.
It may not be feasible for every staff member to be able to call a security pro, but it is possible to provide clarity on how to report known or suspicious activities. Although team members may not be able to respond to every communication, the process can make it clear that they definitely will respond to everything significant.
Seek out executive support
Executive support is key to successful cyber culture, and pointing out that a stronger cybersecurity culture helps to boost profitability may be a practical way to do so. The survey results show only about half (53%) of senior executive teams understand their organizations’ cybersecurity culture very well or completely, leaving far too many organizations at a significant disadvantage when it comes to leveraging executive support.
Be realistic with security expectations
Regular staff, contractors and suppliers will usually try their best to deliver to realistic expectations – but remember, they are not security professionals. If you want them to report or manage activities in a certain way, then they will need clarity in what is required.
One of the most frequent gaps in security practices can be found where organizations block their resources from using certain platforms, such as file-sharing and webmail, but then fail to offer a secure equivalent that meets their needs. When an employee or other worker is faced with an unworkable technical obstacle, they will find a workaround, and it usually even less secure than the action that was prevented in the first place.