You should have the best security technology you can possibly have, and your organization should have the most effective security policies it can create. But ultimately, the most powerful way to protect the organization is to create a culture of security. Whatever your place of business — whether it’s a large or small organization, healthcare provider, academic institution or government agency – creating a culture of cybersecurity from the break room to the boardroom is essential. Why is a culture of security so important? Think of the employees as the company’s first firewall. Staff stand between an organization’s information assets and the thieves who want to plunder them. Intrusions that are based entirely on technology are rare. Most intrusions result from fraud that takes advantage of employee carelessness, lack of judgment or even criminal intent.
Think of your company as a community. Most observers say there are three primary factors that help ensure law and order in a community.
1. Risk Perception
Members of the community can only act to prevent or report crime if they know what it looks like and have a certain level of fear about it. This is why the police departments in some communities work so hard to establish trust in their communities, and it’s the origin of the byword, “See something, say something.” In a company, you can take advantage of risk perception with user awareness training. Teach all employees what cybercrime looks like and how it is likely to affect them.
2. Social Norms and Conformity
Most human beings behave well because of social norms — informal understandings about the proper way to behave. Most of us go through our everyday lives with a sense of these informal understandings. Yes, the laws are there, but the opinions of our neighbors are keeping us in line. Just like every community, every organization has a culture that includes social norms, often ones we aren’t even aware of. Finding ways to incorporate security into those norms will go a long way toward protecting your organization’s assets. Here’s how you incorporate security into your organization’s social norms. First, make sure the leadership of the organization stresses the value of security and backs up these values by modeling appropriate behaviors. A CEO who talks about the importance of security and then writes his or her password on a sticky note on the computer monitor will harm more than help the culture of security.
Second, provide more advanced user training that teaches skills in addition to awareness. Give it a positive value. The Logical Operations CyberSAFE program, for example, culminates in certification so that those who successfully complete it have credentials providing tangible evidence of their value to the organization.
3. Routine Monitoring
Studies show that companies with skilled incident response teams suffer fewer catastrophic data breaches and lower average cost when data breaches do occur. This is because incident response teams reduce the “dwell time” of criminals that manage to invade your network. But incident response teams themselves also contribute to the culture of security, because their presence reminds employees of the importance of security.
My advice is that you designate, train and support an incident response team and promote their visibility within the organization. You may even want to consider ways to enhance the team’s prestige: stage a competition among candidates to join it, regularly report on it in the company newsletter and have its members visit and give presentations on security to other departments. Promoting the importance of the incident response team can contribute both to establishing social norms and conformity and the reassurance that contributes to a sense of stability that allows people get on with their work. The Logical Operations’ CyberSec First Responder program is an example of a way to train and certify an elite incident response team.
It’s not all about technology and law enforcement. You need to find as many ways as possible to support your employees’ adherence to security policies, exercise of good judgment and recognition of fraud. Risk perception, social norms and routine monitoring can only help.