“Change” Isn’t a Four-Letter Word: Creating a Culture of Security

Nobody likes change. But do you know what else nobody likes? Data breaches.

There were over 53,000 cybersecurity incidents so far this year, including 2,216 confirmed data breaches, according to Verizon’s 2018 Data Breach Investigations Report. The report cited that 76% of these data breaches were financially motivated.

Are you thinking, “My business is too small to be targeted by cybercriminals”? Think again. If a cybercriminal thinks they can make money off of you, they’ll find a way to do it. That could mean anything from stealing credit card data, intellectual property, or personally identifiable health information – or they might not steal anything from you at all. Exfiltration isn’t required for cybercriminals to turn your business into a payday. They just need to hit you with ransomware that locks you out of your systems until you pay the ransom (usually in bitcoin). Most of these attacks aren’t focused solely on the wealthy; they’re focused on the vulnerable.

You will become the target of a cyberattack.

How can you protect your business?

Start by establishing a cybersecurity program on a solid foundation and fostering a culture of security within your organization. It’s an understatement to say that this will take some work, however, it is vital to protecting your assets. Let’s start with the basics:

Get your people on board.
To quote David Bowie, “Ch-ch-ch-ch-changes / Turn and face the strange.” The culture within your business will need to change. With cybersecurity still being largely an afterthought in many organizations, your people may resist necessary policy and procedure changes. Remember: your employees can be your greatest asset, but they’re also your biggest security risk. If you want to build a successful program you need to have all your people on board – and that oftentimes starts at the top. Make the “big wigs” aware of the consequences of a potential incident or breach. Your C-suite and senior leadership need to both be on board and demonstrate that they are. Be the first person to no longer have admin rights on your computer and tell your employees how you were still able to do your job.

Work with your end users.
You will potentially need to change processes and technologies. This doesn’t mean it needs to be a fast nor an unpleasant change. Get input and feedback from the right people, where appropriate, to ensure security is applied, but your end users are still equipped and empowered to do their jobs.

Too often, cybersecurity policies and plans are written by a single person and uploaded to a share drive where they’re never looked at again. Instead, use a cross-departmental approach and get other leaders (including technology) in your organization involved in writing your cybersecurity policies. You’ll end up with a broader perspective that covers necessary requirements without inadvertently introducing any policies that could hinder employees’ day-to-day work activities.

Don’t just preach ‘thou shalt do.’
The majority of your workforce probably hasn’t previously experienced a cybersecurity incident. This has lulled them into a false sense of security. “It won’t happen to me,” they think, “Cybersecurity attacks happen to other people. It happens to celebrities and big companies or the government. Nobody cares about my data.”

This common line of thinking is why it’s essential for you to be willing and prepared to provide facts, details, and data to back up your cybersecurity policies. Communicate risk and relate it to the end users you are speaking to. Leverage the power of storytelling to make cybersecurity feel more personal. Avoid any language that might be interpreted as “because [we] said so.” Unfortunately, it will probably be quite easy to find a story of a company just like yours that experienced major repercussions from a cyberattack. Use this example as an introduction to why your business is now focusing on cybersecurity best practices. Remind your employees that there is a reason behind all the changes. Make it personal.

End users need to see and feel that security is everyone’s job.

Remember, it’s not “an IT thing.”
Messages about cybersecurity cannot just come from IT; they’re already likely not favored within your organization. “Here we go again,” your employees might think, “another thing the IT department says I can’t do.” End users need to see and feel that security is everyone’s job. Make cybersecurity awareness a part of your onboarding process so employees understand its importance and their role within it from day one. Start building a security mindset from the get-go.

Awareness and training is a continuous process. Have others in your organization (not just the IT department) send reminders and messages, post signs, and make cybersecurity known by all. Appoint cybersecurity advocates in different departments to act as an extension of the information security team and give them the tools they need to keep employees motivated to follow best practices.

Put an incentive program in place.
These days it’s hard to go a full week without hearing about a new cyber threat or breach in the media. The news is intentionally geared toward the negativity. Who did it and why? Remember, however, that good practices should be rewarded. Turn “if you see something, say something” into an incentive that people want to participate in. An employee reports a phishing email requesting a fraudulent wire transfer? They get a gift card! The company’s phishing response went from 60% to 5%? It’s time for a pizza party! Reward good behavior so that your end users, who are your first line of defense, are willing to speak up and protect your assets. (Also, empathize with employees that make mistakes. Punishing them will only make them bitter toward the entire program.) If you congratulate your employees when they are good cyber citizens, they’re more likely to be happy and engaged participants.

In summary, yes, creating a cybersecurity program is challenging and requires a variety of changes within an organization – and not all of those changes will be welcomed with open arms. However, when you have employee buy-in and keep your workforce engaged with cybersecurity, you can successfully introduce the policies, procedures, and controls that are critical in protecting your organization and its assets.

 

About The Author: Christina D’Antonio

Christina D’Antonio (ECIH) is a specialist-level technology, information security and risk management professional. Christina is a 2015 graduate of SUNY Albany’s Digital Forensics program. She currently holds three years of experience at GreyCastle Security assisting with the development and implementation of cybersecurity solutions for financial, healthcare, higher education, energy, information technology and gaming industries. Knowledge of HIPAA, PCI, ISO and NIST standards and regulations that can be applied in a variety of functions. Experience in Incident Response proactive and reactive functions, including program development and testing, as well as forensics, including collection and analysis of evidence.