Connect with us

Hi, what are you looking for?

Online Business Success

The Importance Of A Strong Security Culture And How To Build One

Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.

Cybersecurity has long been top of mind for organizations of all types and sizes. The pandemic has shifted these concerns and, in many ways, made them even more complex and front and center. As a Fortune article pointed out in April, “The hybrid office will create great opportunities — for companies and cybercriminals.”

Those opportunities, of course, are already being created. They won’t be solved through one-off, episodic initiatives designed to raise awareness and change engrained employee attitudes and behaviors. Only a strong security culture can do that.

The Critical Importance Of A Strong Security Culture

What is “security culture”? It is the ideas, customs and social behaviors of an organization that influence its security. It is the most important element in an organization’s security strategy. And for good reason: The security culture of an organization is foundational to its ability to protect information, data and employee and customer privacy.

Some companies are beginning to get it. They are moving beyond tactical, episodic approaches to security and recognizing that effective enterprise-wide security requires a strategic, long-term approach, focusing more on communication and culture than exhortations from IT and an ongoing stream of new policy mandates.

Advertisement. Scroll to continue reading.

It’s disheartening, though, that there are still plenty of organizations that don’t get it. This is especially alarming given the uptick in phishing attacks we’re seeing. In their Q4 2020 Ransomware Marketplace Report, ransomware remediation and analytics firm Coveware noted that, for the first time, phishing surpassed other techniques as the most common tool used by hackers to gain access to organizations’ data and information.

The Pandemic Impact

Not surprisingly, during the pandemic, some industries and organizations have seen their security cultures stagnate or decline. As many organizations transitioned to a work-from-home model, new security issues and concerns emerged, with communication and education becoming somewhat more challenging.

Security Magazine cited a study in which 46% percent of respondents experienced “at least one security incident” since the pandemic started. More than half (51%) were victims of email phishing attacks. Covid-19-themed phishing campaigns impersonated trusted brands like Netflix, Microsoft and the CDC to commit fraud, exposing “deeper, more significant cracks in enterprise security.”

Customers of my company (KnowBe4) tell us there is an overt hunger for more focused security information and an awareness that they may have gaps in their knowledge. They feel like they would not be able to detect if their computers were compromised. As we know, threats like ransomware can go undetected and do damage for months before detection, even in top-performing organizations.

Ongoing awareness, understanding and appropriate action are required to ensure organizations’ data is safe and that employee and customer data is not compromised. But information can be confusing.

Inconsistent Messaging Creates Confusion

It’s not surprising that there is so much confusion among employees about what they should and shouldn’t be doing to protect company information. Even something as seemingly simple as using effective passwords has historically been a mishmash of contradictory and changing communications.

Over the past 30 years, security experts have trained employees to do everything from changing their passwords every 30 days to not changing them unless they’ve been impacted by a breach to limiting the number of characters to only numbers or letters to requiring all kinds of numbers, symbols, letters and cases. It’s no wonder that employees are not only confused but burned out by changing and hard-to-understand directives.

Advertisement. Scroll to continue reading.

We can do better. As we indicated earlier, the key to building strong security behaviors is building a strong security culture. That means an ongoing process that is driven not from the IT department but from the top of the organization down. A process that is fueled by a relentless — and consistent — drumbeat to help employees understand exactly how their daily behaviors have the potential to protect or threaten corporate data.

Building And Supporting A Strong Security Culture

There are some very practical and actionable steps organizations can take to develop and nurture a strong security culture across seven distinct dimensions:

Attitudes: Employee feelings and beliefs about security protocols and issues.

Behaviors: Employee actions that impact security directly or indirectly.

Cognition: Employee understanding, knowledge and awareness of security issues and activities.

Communication: How well communication channels promote a sense of belonging and offer support related to security issues and incident reporting.

Compliance: Employee knowledge and support of security policies.

Norms: Employee knowledge and adherence to unwritten rules of conduct related to security.

Advertisement. Scroll to continue reading.

Responsibilities: How employees perceive their role as a critical factor in helping or harming security.

These seven dimensions are measurable via a security culture survey. Start by understanding where you are as a benchmark. Then compare your survey results to those of other industries and build a plan for improvement. For instance, if you realize that you need to up your game in terms of “norms,” then you might consider implementing a security champions program or a mentorship program. If your organization needs improvement in the dimension of “cognition,” then you could assess your security awareness program. You get the idea — understanding where you are provides you guidance on where you can improve.

Security culture is a critical, need-to-have asset in the security toolbox. By assessing employees’ security awareness, behaviors and culture, organizations can adapt their policies and training programs to the constantly changing threat landscape. The alternative becomes less attractive by the hour — do nothing and watch your organization crumble to a halt by ransomware, data theft or business interruption.

Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?


Source link

Click to comment

Leave a Reply




Source: Joseph Keller / iMore In the fall of 2021, Apple unveiled the next generation of iPhone with the iPhone 13 lineup. While they...


Source: Joe Maring / iMore Photo and video social network Instagram is offering a new subscription feature that will give people a new way...

Top Stories

An individual Ether (ETH) miner struck it big by mining a block on their own and receiving a reward valued at about $540,000. The...


Join gaming leaders, alongside GamesBeat and Facebook Gaming, for their 2nd Annual GamesBeat & Facebook Gaming Summit | GamesBeat: Into the Metaverse 2 this...

Loan And Finance

Conduit Reinsurance, the main subsidiary of Conduit Holdings, has reported continuing rate improvements and tightening of terms and conditions across its core classes, during...


Source: Adam Oram / iMore If you’ve had an iPad for a while, then you probably have a lot of important data on it....


Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream. The...

Top Stories

Associate law professor and member of the Securities and Exchange Commission’s Investor Advisory Committee J.W. Verret is calling for the government agency to open...


You May Also Like

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...


In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...