Culture of Security

There is no single answer to the question of how best to secure your business – no firewall or security software can claim to nullify all threats or mitigate all risks.

Important as it is, Technology is just a single weapon in your business security arsenal, you need controls, processes and policies to fill the gaps that Technology can’t fill.  Most of all though, you need the business itself.  Effective security doesn’t just need to involve the business, rather the business has to drive the security- from the Leadership team at the top through all levels of staff, setting a secure mindset is absolutely key to protecting the business.

In fostering a culture of security, the business is recognising that security isn’t just the responsibility of a firewall, or IT, or even a dedicated security team- it’s everyone’s responsibility.  Every member of staff can be a security camera, an access control system, an intrusion prevention system and a firewall- if the business recognises it, and empowers them to do so.

Leaders need to lead

A healthy security culture has to come from the top.  Leaders need to shout the message loud and clear, leading by example with no ‘special treatment’ or exceptions from the rule.

The leadership team need to make sure that the entire business is aware of what is expected of them from a security standpoint, making clear what is acceptable practice and what isn’t, and making available whatever resources, tools or training is needed to enable the expected practices to be followed.

Security also needs to feature more in the board room.  Boards and Senior Management need to realise that the responsibility for security lies not with a department or role within the business, but with themselves as leaders of that business.

How can Management teams expect a good security culture to flourish, if they don’t see the value of being a part of it?

Everyone has a role to play

One of the messages that needs to come from the top is that everyone has their role to play in keeping the business secure.  Whether working on a reception, on a shop floor, in a factory, a warehouse, an office, or working remotely (especially working remotely) then security is a part of your job. 

It starts with awareness- everyone should be aware of what’s expected of them, and what’s expected of their colleagues and management.  If everyone is aware of and follows the business security policies then it’s much easier to spot something out of the ordinary which could potentially lead to, or limit the impact of a breach or other such security incident.

Does that person have an ID badge?  Is that visitor roaming un-escorted because they are lost or is something more malicious afoot?  Is this email asking me to make an urgent payment to a bank account really from the CFO, or am I being phished?? 

Turning weakness into strength

While it may be true that staff are often the weak link in the business security chain, imagine how effective a defence your workforce could be when immersed in a culture of good security practice?

It’s no coincidence that typically more than 9 out of 10 security breaches start with an email- it’s because humans are vulnerable, and cyber criminals know it.  Unlike firewalls, humans tend to have compassion, a desire to help and to please, and can be rushed into making poor decisions- all of which are major security flaws, from a risk perspective.

However, if the humans who make up your staff are educated, and aware, and empowered then there’s no reason why they can’t become ‘human firewalls’- scanning emails for suspicious requests from suspect sources, reporting bad practice and rejecting anything that isn’t compliant with how their business works.  Suddenly every single member of staff is fighting the good fight and your security ‘weak link’ is now your strongest security asset.

Knowledge is power

In order to make human firewalls out of your staff however, the first step is educating them. 

Security training will tell them what the policies are and sets out how the business will operate, and do business securely.  It’s important to realise though that this isn’t a one-off, ‘fire and forget’ hour-long slideshow, but an ongoing investment of time, and effort, that needs to be refreshed and tested often to make sure that it really is part of the day-to-day, and everyone is up-to-date with latest policies.

More importantly still, threats and attacks are constantly evolving so you’ll need to train your staff frequently to counter, and prepare for anything that they may not have seen before.

Training sessions should also be relevant, engaging and wherever possible, practical with examples and interaction where possible.  Slides alone rarely inspire anyone to take notice let alone action, and you’ll want to know that what you’re talking about is sinking in.

Make it personal

Good security practice is good security practice, whether at work or at home.  As a business you shouldn’t underestimate the benefits that instilling solid security foundations into an employee could bring to that employee long after they’ve clocked-off, or even left your employment entirely.

Something our team of trainers here at CyberScale always ensure they get across is how being secure in your work can also help you be secure outside of the workplace.  Though the assets they will be protecting may be different, the key defences are largely the same whether at home or at work. 

Letting people know how the practices and knowledge they pick up during training at work can help them personally works wonders for increasing ‘buy-in’ and helps keep interest up. 

Of course now with many employees working remotely or at home, it’s in each business’ interests directly to help staff secure their own environments and adopt good practice, but getting that mutuality of benefit across could help good security practices permeate through the culture in your business.

Where there’s no blame….

When we talk about a good security culture, it’s important to note that it’s not just policies and documents that make it.  It’s also about creating a level of trust and confidence within the business.  Employees at every level need to feel comfortable and empowered to speak up if they see something suspicious, or to own up if they themselves have breached policy whether inadvertently or not, or just to ask questions or make suggestions.

Fostering a ‘no blame’ stance from the business can encourage staff to come forward, where they may otherwise choose to stay silent or turn a blind eye if they feel they may be blamed or made a scapegoat in case of a breach or incident.  It comes back to the edict that security is everyone’s responsibility, and in sharing that responsibility then the burden of responsibility or ‘blame’ is not felt by any one member of staff.

Of course, in order to help create a healthy security culture it’s important to have the expertise to define the policies and practices, and create a security strategy that includes a security-literate workforce.  If such expertise doesn’t exist in-house, then engaging a security partner to define scope and put together an action plan to set you on your way could be a quick and cost-effective way to not only kick-start your security culture, but help maintain and nurture it as your business grows.

Whether your security function is in-house or external, often the business itself and the attitude to security within it are the most effective weapons in the fight against cyber crime. 

The fact is that every organisation already has a security culture even if they don’t realise it, but whether that culture is good or bad is another question entirely.  A bad culture can make your business more vulnerable and more at-risk, a good culture will give you every chance to prevent breaches and reduce risk.  How’s the culture in your business?