[BreachExchange] Avoid these pitfalls to strengthen your security culture

Inga Goddijn inga at riskbasedsecurity.com
Wed Dec 7 18:08:58 EST 2016


http://www.securityinfowatch.com/article/12285170/avoid-these-pitfalls-to-strengthen-your-security-culture

There’s no denying it – every company, no matter the size, industry or
geographic location, will experience a cyber attack. Not only are hackers
getting more creative about how their attacks are engineered and carried
out, but the motivation behind them has evolved beyond financial gain. From
political persuasion to personal vendettas, the act of the breach itself
has become somewhat inconsequential compared to the damage that can and
does result once that data is in the wrong hands.

Because of these very real risks, companies are investing heavily in IT and
data security – and they should be. IDC
<http://www.idc.com/getdoc.jsp?containerId=prUS41851116> predicts that by
2020, more than $100 billion will be spent on security solutions. And while
it’s true that technology is currently our best defense against cyber
criminals, it’s by no means foolproof, and because of this, significant
vulnerabilities remain. In fact, recent research from Accenture
<https://www.bloomberg.com/news/articles/2016-11-02/accenture-says-one-third-of-corporate-cyber-attacks-succeed>
suggests that of the more than 100 targeted attacks the average company
faces each year, one-third of those attempts will succeed.

In response, many companies are beginning to look beyond technology and
internal processes/protocols to the employees themselves to close the
security gap. While the idea of a sound security culture sounds promising,
it can be extremely daunting to effectively implement and enforce. Part of
the challenge involves achieving consistency across organizations and
individual business lines. Another factor involves the wide swath of
employees who must all practice and adhere to similar standards and best
practices, despite significant differences in roles, skill sets and work
styles.

As companies determine the security posture and culture that work best
within their unique corporate environments, there’s one thing that most can
agree on: the tone must be set by those at the highest levels of the
organization, including the C-suite, board members, and directors. Not only
must these individuals be involved with the creation of the actual
information security policies/procedures, they must also follow these
guidelines to a T, serving as an example for all others in the organization.

Security professionals who are tasked with not only protecting the
organization against a litany of threats but also elevating the urgency of
data-, cyber- and IT security issues to top executives, have a long road
ahead of them. In order to create a strong security culture from the ground
up, or to revisit existing practices, it’s imperative to avoid the
following pitfalls to ensure success.

*You’re Overlooking the Basics*

For security professionals working in the trenches, it’s easy to assume
that others in your organization understand basic security practices like
you do. While you may know your organization’s security policies and
procedures like the back of your hand, the reality is that most of your
fellow employees have long forgotten what’s allowed and what’s not. This is
a significant issue in organizations where employees work remotely and/or
travel frequently for business and must stay connected to the office via
mobile devices. In reality, if employees are not compelled to follow the
rules, they will make up their own — and no one is guiltier of this than
the C-suite and board members.

With human error
<http://www.prnewswire.com/news-releases/employee-errors-cause-most-data-breach-incidents-in-cyber-attacks-300342879.html>
and lost/stolen mobile devices
<http://www.scmagazine.com/lost-devices-leading-cause-of-data-breaches-report/article/518547/>
at the heart of a growing number of data breaches, it is essential to
develop or evolve security policies to ensure alignment with the needs and
behaviors of today’s modern workforce. Updated policies need to cover the
basics including appropriate use of Wi-Fi connections, best practices for
shared workspaces, document access/sharing protocols, and procedures to
follow should a phone, tablet or laptop get stolen or go missing.

*You’re Not Investing in Training*

If you’re banking on employees following your company’s security playbook
on their own, think again. Many won’t read it to begin with and those who
do are likely unable to understand its contents (and implications) without
explanation. Yet, many companies are not investing resources and time into
training and/or retraining workforces on proper security best practices. In
order to develop a sound security culture, employees need to receive
continuous training and retraining in order to increase the effectiveness
of internal security and data protection programs.

In addition, as hackers employ increasingly sophisticated attacks and
social engineering tactics to break into corporate systems, it is
imperative that all employees — particularly those at the highest levels of
your organization — receive training on how to spot and eliminate potential
threats. For example, phishing attacks remain one of the most successful
hacking schemes in use today, yet roughly one in four people
<http://www.networkworld.com/article/3138582/security/25-to-30-of-users-struggle-with-identifying-phishing-threats-study-says.html>
are still unable to identify when they’ve been targeted. In order to
decrease an organization’s overall vulnerabilities, all employees must be
given the resources needed to improve their working knowledge of security
issues, particularly as it relates to their areas of the business.
Participation in industry conferences, webinars and other seminars hosted
by experts in the field should be encouraged.

*You Haven’t Given People a Reason to Care*

Like it or not, any company that expects its employees to be security
champions needs to give them a reason to do so. It’s no longer enough to
tell employees that they have to care about security — you have to show
them why they need to care. Thus, a one-size-fits-all incentive program
becomes highly ineffective. If your organization has this type of effort in
place, chances are it’s already falling flat.

Instead, companies need to ensure that incentives appeal to the wants and
needs of different organizational groups. For example, at the executive
level, an effective approach may be to focus on the role of security (or
lack thereof) in terms of brand equity or financial performance. Other
workforce segments may be swayed by bonus potential, job advancement or
greater leadership/management opportunities. In this case, it is important
to take the time to develop customized programs that reward security-minded
behaviors in a way that will motivate employees to go beyond ticking the
compliance checkbox. Companies may also want to consider adding security
best practices as a competency in annual performance reviews as another
layer of accountability for employees. Likewise, consequences must be
enforced if/when secure behaviors are not followed.

*You’re Using the Wrong Technology*

There are countless technologies and services available on the market today
that promises to protect every inch of the enterprise against hackers and
other threat actors. Yet despite increased investment in and adoption of
these solutions, data breaches remain at an all-time high, with
cybersecurity threats increasing in persistence and severity. While most
would agree that the use of innovative technology will be essential for
fighting back against cyber criminals, it is equally critical for companies
to apply the right solutions that will protect their unique environments
and industries. Essentially, even the top “must-have” solution may not be
right for the people, processes or data your organization needs to protect.

Take the board of directors, for example. According to Diligent’s research,
nearly one in three U.S. board members uses free email service providers
(ESPs), such as Gmail, Yahoo!, AOL and Comcast, to conduct business. As was
recently demonstrated with Yahoo!, free ESPs can and have been successfully
hacked, and thus, highly sensitive information shared at the board level is
at risk of exposure as a result. Because board members typically sit
outside of an organization’s firewall, even the most robust security
solutions would not be able to safeguard against poor security best
practices. Instead, technology specifically designed to secure board-level
communication — such as a board portal — may be needed instead.

In a world where hackers and cyber criminals remain ahead of the curve,
companies must embrace the use of smart technology solutions, modern
security best practices and a people-powered commitment to reducing and
mitigating threats that could infiltrate the enterprise. The stakes have
never been higher, and everyone — from the break room to the boardroom —
plays a critical role in securing our future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161207/1d765411/attachment.html>


More information about the BreachExchange mailing list