Paul Dughi

Why You Need a Cyber Security Culture in Your Organization You can do a great job of policing your networks, keeping current on your patches, and discover intrusions, and still be left open to security problems. The number one vulnerability isn’t buried somewhere in your software or network; it’s your employees. We’ve all had coworkers who opened that email attachment from an unknown source - even though they had been warned not to do so – and infected their own computer, or others. “A leading cause of security breaches is a basic human vulnerability: our susceptibility to deception,” according to a study done at the University of Albany in conjunction with SUNY. With the increase in users connecting to cloud servers, email, social media, and daily internet usage, the opportunity for something bad to sneak into your system is high no matter how security-conscience you are. Couple that with remote workers and employees using their personal laptops or cell phones to access your systems, or using public WiFi to log in, and you have the recipe for mischief. You can’t do it alone. You need to create a cyber security culture in your organization. Everyone Has To Participate From the entry-level employees to the big boss in the corner office, it must be everybody’s mission to follow safety and security protocols. All it takes is one person replying to the phishing email, or sharing their password, to cause problems. When Someone Catches Something, Call it Out! How often has someone in your company sent you an email and asked if it’s something malicious? How often has someone clicked on an email and caused you problems and then called on you to fix it? It can be frustrating, especially when you look at it and think it should be obvious. However, it happens. Instead of sending out that same email saying, “If you see this, don’t, click on it,” a great strategy to get organizational buy-in is to give credit to the person that flagged the issue. It may encourage others to think twice before doing something dumb and get others to flag potential problems for you before they become real problems. Help them understand that by sharing potential threats and concerns, they are all taking part in making the workplace a safer place for everyone. Spread The Message And The Risks In order for everyone to take it seriously, you have got to make them understand just how important cyber security is. Here are some facts that you may want to share to get their attention: • • • • Phishing emails account for 91% of cyber-attacks; someone innocently clicking on a random email or link. One study shows that 1 out of every 131 emails contains a malware threat. Computer virus and malware attacks grew by 145% in the past year. Data breaches grew 164%. More than 50% of all business experienced a cyber-attack of some form last year 81% of breaches are the result of either stolen or weak passwords. One IT manager we know purposely slowed his network down to a crawl to get people’s attention. When employees complained, he let it be known that all it takes is one random email to cause the whole system to be compromised. While we’re not advocating you do that, it did bring the problem front and center for the rank and file. Formal Policies And Procedures You likely have an Employee Handbook, or Organizational Best Practices guide, that covers human resources policies and procedures. Review yours and see what it says about best practices in your area. We’re often surprised by how many large organizations will tell employees they must keep the physical doors to the building secure, but fail to address leaving their computer systems wide open. For example, we all know we need to use strong passwords with letter, number, and symbol combinations. Yet a recent study done by Keeper, a password storage company, determined that 50% of people use the 25 most common passwords. Scanning 10 million passwords that were leaked in data breaches, the most commonly used passwords included 123456, qwerty, and password. Some companies require password changes every 30 days or even more often. Consider 2FA (two-factor authentication) when logging into an account or service. While employees may complain about the practice, it’s a reminder every month of how important security is and how seriously we take it. If you force them to change passwords too often, you’ll find a lot of them will write them down and “hide” them in obvious places. It’s a good idea to do an occasional sweep through the office and check on monitors, under calendars, and keyboards to see if that’s what they are doing. Consider restricting employee access to systems, networks, and software they don’t need as part of their job. Give them access to only what they need and use. If they need to access something for which they don’t have the rights, make them justify the need. Cyber Security Training And Education According to a study by the Aberdeen Group, consistent training can change behavior and reduce security related threats by more than 45%. We train employees on many aspects of our business, but often fail to give them formal training on crucial topics like cyber security. Consider making security training a part of every person’s onboarding process with at least an annual refresher course. Just because it’s common sense to you doesn't mean your team members understand. We see people on their laptops at the local coffee shop doing work all the time. They are using public WiFi that is vulnerable to attack. Do your employees know the potential threat? It Takes A Team Effort When people think about data breaches or hackers, they think of shady people in a dark room somewhere using sophisticated software to break into your systems. The reality is that it’s more likely an employee unwittingly opened the door for them. In order to be effective, the entire team has to understand the importance of security and appreciate the threats. You can’t do it alone.