How to Build a Stronger Culture of Security

scmediauk-logo-1.png

MONDAY, DECEMBER 11, 2017 | SCMAGAZINEUK, JON FIELDING

How to Build a Stronger Culture of Security

Organisations should create an environment where people feel comfortable discussing data security. If you can create a culture that values the importance of IT security, it can help minimise internal threats.

Whilst we all know that security is crucial and must be embedded into everything an organisation does, rarely a day goes by without news of another data breach. Cyber-criminals are always looking for the weakest link within an organisation, and more often than not, this falls with employees. In fact, 48 percent of IT decision makers in the UK say employees are one of their biggest security risks, according to a survey by Apricorn.

The best way for organisations to protect themselves is to create and foster a strong culture of security. This is dependent on the contributions and collaboration of all employees. If employees are left to their own devices, even the best technical efforts will fail if the company has a weak security culture.

The following five steps can help in building a stronger security culture:

Security from the top down An organisation's management will shape its culture and values. Without their leadership and governance, implementation of an effective security culture will fail. Company execs and management teams need to practice what they preach and demonstrate that they are adhering to best practices, too. They should encourage employees to integrate security practices every day and lead by example, establishing and following the security protocols they put in place.

Policies and procedures

Everyone in an organisation, including employees, contractors, and management should have acceptable procedures that are clearly defined and written down. These should be consistent across the board.

Organisations should develop comprehensive security policies and employees should be educated on these and the risks associated with particular tools and devices. Only IT-approved devices should be used to connect to the corporate network.

Rules must be put in place to restrict employee access, so access to software and systems is limited to what they need, rather than open access to the whole network. This can be adjusted if required to suit mobile workers and contractors to limit further risks. Implementing these rules will provide a good grounding for a solid security culture as employees won't be accessing and putting information at risk that they shouldn't have access to in the first place.

It is essential that these security policies do not interfere with employee productivity. If employees find policies too difficult to follow or too complex to understand, they may well resort to non-sanctioned tools and devices which circumvent IT departmental control and result in additional risks to corporate data.

Security awareness and education

Organisations should review their existing security processes to better understand their current security posture and identify areas which need addressing. This is particularly important in ensuring compliance with regulations such as the upcoming GDPR. Once everything is in place, systems should be regularly tested to withstand the evolving cyber-threats.

Education and awareness programmes need to be provided and applied to all staff, temporary and permanent, and these must be regularly updated and tested.

Organisations should also create an environment where people feel comfortable discussing data security. If you can create a culture that values the importance of IT security, it can help minimise internal threats.

Security basics

Organisations often forget to implement and enforce even basic security hygiene, and many security breaches can be down to something as simple as choosing a weak password or clicking on a link from an untrusted source.

Passwords are the initial line of defence. They are crucial in both our personal and professional lives and can make or break the overall level of security within an organisation. Employees should be clearly informed of the necessary password policies.

Many devices and applications come with default passwords. Using a default password is the same as using no password at all, so this must always be changed immediately. When choosing a password, employees should make it long and complex. Staff should also regularly change their passwords and never reuse them.

Two-factor authentication (2FA) is also an important security process which works by combining something you know (your password) with something you have (eg a fingerprint) to provide an extra layer of protection. Organisations should consider using 2FA as this will make it harder for potential intruders to gain access and steal corporate information.

Phishing emails are crafted to resemble correspondence from a trustworthy source such as a bank or HMRC, created to dupe individuals into clicking on a malicious embedded link. Employees need to ensure they understand the risks when opening email attachments or clicking on links from unfamiliar sources, to avoid putting confidential information at risk. This should be covered in staff awareness training sessions.

Organisations should also have a well-defined patching process in place to ensure all software and systems are updated regularly.

Data on the move

The increasing number of mobile workers is putting a huge strain on data security, and making the need for a strong culture of security even greater. Employees need an open and trusting line of communication with security staff and management to minimise the risks that remote working presents.

The Apricorn survey found that 29 percent of organisations have suffered a data breach or loss as a direct result of mobile working and 44 percent expect mobile workers to expose the business to data breaches. Unfortunately, over half (53 percent) of respondents said managing all the technology needed by mobile workers is too complex. Much like when applying policies, if employees find the tools too difficult to use, they may find an alternative which could prove detrimental. Organisations should consider their technology carefully and ensure all employees are given full training on how to use it to avoid any additional threats.

If data is regularly taken beyond the corporate network, mobile storage devices featuring strong encryption are essential, and non-sanctioned devices should be prohibited from working.

Creating a security culture is the responsibility of every single employee, whatever their role within the organisation. By ensuring a maximum level of education and awareness and creating user-friendly policies and procedures, organisations will have a stronger chance of avoiding non-compliance and putting data at risk of a breach, and ultimately avoiding the repercussions that ensue.