Creating a Culture of Security and Privacy
It seems almost every day we turn on the news and learn of a new data breach or malicious attack on organizations ranging from the entertainment industry to healthcare and finance. The reality is, no organization is completely safe from an attack. And while this may seem grim, there are things organizations can do to help protect themselves. Many see this protection as a product - or stack of products - they use as a safeguard. But security efforts shouldn't stop there. A strong culture of security and privacy is critical to an organization's overall health and success.
See Also: Passwords Alone Aren't Enough
Some organizations have realized and accepted this basic concept, but are quick to learn it can be difficult to carry out. All too often, they don't think about how they can make security a regular part of their operating model. Security should apply to the things we do every day, such as the creation of emails and documents and classifying PowerPoint slides. This practice has the ability to add value and importance to all the different kinds of information we are exposed to throughout the day and how we ultimately process it.
For most, however, it is not automatic or easy to implement security practices. A key example is marking documents with the appropriate classification. Ideally - at every level, all the way through an organization - you would maintain a standardized process of classifying documents. This proves to be incredibly difficult the larger an organization is and the more people who have access to these documents. It's critical to help people recognize you cannot wait for someone to read a document before figuring out how it should be protected. From the moment you receive a document, you should be able to tell its classification level.
Here is where leadership needs to take the responsibility and lead by example to implement this culture. Protecting that organizational information should start in the board room and C-suite, so front line staff can follow and maintain. If leadership shows this is an important aspect of their corporate culture, it is more likely the practice will be successful and permeate all levels, becoming an ingrained part of how their organization works. Additionally, as a company, you have to think about how you are conveying this information to your employees. You need to talk about it, prevent and manage risk throughout the organization, and become an active participant in building this strong security culture.
In the oil and gas industry, safety has become a huge mantra over the past 25 years. Most sites open every meeting with a minute of safety before jumping into the primary topic of discussion. This safety covers everything from driving, to walking around the building, to physically being at an oil rig. You see an incredibly strong culture built around safety and that drives much of the operating model.
Yet, at most companies you don't find those same practices utilized around security and privacy. A culture has to be created, fed and reinforced by activities throughout the day and year. It takes an investment to build and reinforce that culture beyond the annual compliance training - where most employees are simply checking a box rather than directly engaging with the material being presented. Presenting the training materials in an engaging format allows employees to make a deeper connection to what's being presented, and truly understand how their actions can help protect the organization.
National Cyber Security Awareness Month is a good time for companies of all sizes to think about how they can build a culture of security, and reinforce that culture in the workplace so that it extends into employees' personal lives - ultimately leading to a more secure professional and personal environment.