<div dir="ltr"><a href="http://www.securityinfowatch.com/article/12285170/avoid-these-pitfalls-to-strengthen-your-security-culture">http://www.securityinfowatch.com/article/12285170/avoid-these-pitfalls-to-strengthen-your-security-culture</a><br><br><p>There’s no denying it – every company, no matter the size, industry
or geographic location, will experience a cyber attack. Not only are
hackers getting more creative about how their attacks are engineered and
carried out, but the motivation behind them has evolved beyond
financial gain. From political persuasion to personal vendettas, the act
of the breach itself has become somewhat inconsequential compared to
the damage that can and does result once that data is in the wrong
hands.</p>
<p>Because of these very real risks, companies are investing heavily in IT and data security – and they should be. <a href="http://www.idc.com/getdoc.jsp?containerId=prUS41851116" target="_blank" class="gmail-outbound_link_tracking">IDC</a>
predicts that by 2020, more than $100 billion will be spent on security
solutions. And while it’s true that technology is currently our best
defense against cyber criminals, it’s by no means foolproof, and because
of this, significant vulnerabilities remain. In fact, recent research
from <a href="https://www.bloomberg.com/news/articles/2016-11-02/accenture-says-one-third-of-corporate-cyber-attacks-succeed" target="_blank" class="gmail-outbound_link_tracking">Accenture</a>
suggests that of the more than 100 targeted attacks the average company
faces each year, one-third of those attempts will succeed.</p>
<p>In response, many companies are beginning to look beyond technology
and internal processes/protocols to the employees themselves to close
the security gap. While the idea of a sound security culture sounds
promising, it can be extremely daunting to effectively implement and
enforce. Part of the challenge involves achieving consistency across
organizations and individual business lines. Another factor involves the
wide swath of employees who must all practice and adhere to similar
standards and best practices, despite significant differences in roles,
skill sets and work styles.</p><p>As companies determine the security
posture and culture that work best within their unique corporate
environments, there’s one thing that most can agree on: the tone must be
set by those at the highest levels of the organization, including the
C-suite, board members, and directors. Not only must these individuals
be involved with the creation of the actual information security
policies/procedures, they must also follow these guidelines to a T,
serving as an example for all others in the organization.</p>
<p>Security professionals who are tasked with not only protecting the
organization against a litany of threats but also elevating the urgency
of data-, cyber- and IT security issues to top executives, have a long
road ahead of them. In order to create a strong security culture from
the ground up, or to revisit existing practices, it’s imperative to
avoid the following pitfalls to ensure success.</p>
<p><strong>You’re Overlooking the Basics</strong></p>
<p>For security professionals working in the trenches, it’s easy to
assume that others in your organization understand basic security
practices like you do. While you may know your organization’s security
policies and procedures like the back of your hand, the reality is that
most of your fellow employees have long forgotten what’s allowed and
what’s not. This is a significant issue in organizations where employees
work remotely and/or travel frequently for business and must stay
connected to the office via mobile devices. In reality, if employees are
not compelled to follow the rules, they will make up their own — and no
one is guiltier of this than the C-suite and board members.</p>
<aside class="gmail-one-half gmail-pull-left gmail-inline"></aside>
<p>With <a href="http://www.prnewswire.com/news-releases/employee-errors-cause-most-data-breach-incidents-in-cyber-attacks-300342879.html" target="_blank" class="gmail-outbound_link_tracking">human error</a> and <a href="http://www.scmagazine.com/lost-devices-leading-cause-of-data-breaches-report/article/518547/" target="_blank" class="gmail-outbound_link_tracking">lost/stolen mobile devices</a>
at the heart of a growing number of data breaches, it is essential to
develop or evolve security policies to ensure alignment with the needs
and behaviors of today’s modern workforce. Updated policies need to
cover the basics including appropriate use of Wi-Fi connections, best
practices for shared workspaces, document access/sharing protocols, and
procedures to follow should a phone, tablet or laptop get stolen or go
missing.</p>
<p><strong>You’re Not Investing in Training</strong></p><p>If you’re
banking on employees following your company’s security playbook on their
own, think again. Many won’t read it to begin with and those who do are
likely unable to understand its contents (and implications) without
explanation. Yet, many companies are not investing resources and time
into training and/or retraining workforces on proper security best
practices. In order to develop a sound security culture, employees need
to receive continuous training and retraining in order to increase the
effectiveness of internal security and data protection programs. </p>
<p>In addition, as hackers employ increasingly sophisticated attacks and
social engineering tactics to break into corporate systems, it is
imperative that all employees — particularly those at the highest levels
of your organization — receive training on how to spot and eliminate
potential threats. For example, phishing attacks remain one of the most
successful hacking schemes in use today, yet roughly <a href="http://www.networkworld.com/article/3138582/security/25-to-30-of-users-struggle-with-identifying-phishing-threats-study-says.html" target="_blank" class="gmail-outbound_link_tracking">one in four people</a>
are still unable to identify when they’ve been targeted. In order to
decrease an organization’s overall vulnerabilities, all employees must
be given the resources needed to improve their working knowledge of
security issues, particularly as it relates to their areas of the
business. Participation in industry conferences, webinars and other
seminars hosted by experts in the field should be encouraged. </p>
<p><strong>You Haven’t Given People a Reason to Care</strong></p>
<aside class="gmail-one-half gmail-pull-right gmail-inline"></aside>
<p>Like it or not, any company that expects its employees to be security
champions needs to give them a reason to do so. It’s no longer enough
to tell employees that they have to care about security — you have to
show them why they need to care. Thus, a one-size-fits-all incentive
program becomes highly ineffective. If your organization has this type
of effort in place, chances are it’s already falling flat.</p>
<p>Instead, companies need to ensure that incentives appeal to the wants
and needs of different organizational groups. For example, at the
executive level, an effective approach may be to focus on the role of
security (or lack thereof) in terms of brand equity or financial
performance. Other workforce segments may be swayed by bonus potential,
job advancement or greater leadership/management opportunities. In this
case, it is important to take the time to develop customized programs
that reward security-minded behaviors in a way that will motivate
employees to go beyond ticking the compliance checkbox. Companies may
also want to consider adding security best practices as a competency in
annual performance reviews as another layer of accountability for
employees. Likewise, consequences must be enforced if/when secure
behaviors are not followed.</p><p><strong>You’re Using the Wrong Technology</strong></p>
<p>There are countless technologies and services available on the market
today that promises to protect every inch of the enterprise against
hackers and other threat actors. Yet despite increased investment in and
adoption of these solutions, data breaches remain at an all-time high,
with cybersecurity threats increasing in persistence and severity. While
most would agree that the use of innovative technology will be
essential for fighting back against cyber criminals, it is equally
critical for companies to apply the right solutions that will protect
their unique environments and industries. Essentially, even the top
“must-have” solution may not be right for the people, processes or data
your organization needs to protect.</p>
<aside class="gmail-one-half gmail-pull-left gmail-inline"></aside>
<p>Take the board of directors, for example. According to Diligent’s
research, nearly one in three U.S. board members uses free email service
providers (ESPs), such as Gmail, Yahoo!, AOL and Comcast, to conduct
business. As was recently demonstrated with Yahoo!, free ESPs can and
have been successfully hacked, and thus, highly sensitive information
shared at the board level is at risk of exposure as a result. Because
board members typically sit outside of an organization’s firewall, even
the most robust security solutions would not be able to safeguard
against poor security best practices. Instead, technology specifically
designed to secure board-level communication — such as a board portal —
may be needed instead.</p>
<p>In a world where hackers and cyber criminals remain ahead of the
curve, companies must embrace the use of smart technology solutions,
modern security best practices and a people-powered commitment to
reducing and mitigating threats that could infiltrate the enterprise.
The stakes have never been higher, and everyone — from the break room to
the boardroom — plays a critical role in securing our future.</p><br></div>