Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/16/2018
10:30 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

95% of Organizations Have Cultural Issues Around Cybersecurity

Very few organizations have yet baked cybersecurity into their corporate DNA, research finds.

These days, a sinister phenomenon called cybercrime-as-a-service is steadily growing, enabling malcontents with only basic technical skills to perpetrate massive IT disruption among companies of all sizes, everywhere. All they need to know is how to unleash firepower by hiring a cybercriminal or their services through one of the various market places in the Dark Web — the shady underworld where demand meets supply.

Some may consider cybersecurity to be the sole purview of a company's IT department, but that's wrong. It's essential for HR and IT to work hand-in-hand to train staff in online safety and write solid cybersecurity policies that collectively serve to entrench security in the corporate culture. 

Deeply Embedding Cybersecurity into the Organization's DNA
According to Information Systems Audit and Control Association's (ISACA) Cybersecurity Culture Report, 95% of organizations admit that their current cybersecurity environments are far from the ones they'd like to have. In a poll of some 4,800 business and technology professionals, a mere 5% of them say their organizations' cybersecurity culture is sufficient to safeguard the company against threats from both inside and outside. An overwhelming 87% of respondents think that establishing a stronger culture of cybersecurity would increase their organization's profitability or viability.

The CMMI Institute, an ISACA enterprise commissioned to write the report, defines a cybersecurity culture as one that incorporates cybersecurity into every aspect of an organization's operations. Rather than considering it as a cost item or afterthought, digitally savvy organizations deeply embed cybersecurity into their DNA and see it as differentiating factor against competition — simply because their services are more reliable, secure, and trustworthy than those of their rivals. While the need for a change might be obvious, it's often much easier said than done. Getting to this happy place demands a major rethinking of the status quo and a different corporate mindset.

ISACA found that in organizations where employees are highly engaged in cybersecurity, 92% of respondents say their executive leaders have and share an excellent knowledge of potential cybersecurity problems. But 42% say their companies don't have a cybersecurity culture management plan or policy. The study concludes that there's a positive correlation between companywide employee involvement and organizations' satisfaction with their cybersecurity culture. In fact, companies that feel they're far from their ideal security culture spend 19% of their cybersecurity budget on tools and training; the ones that are more attentive to and supportive of cybersecurity expend far more (43%) on tools and training to improve staff knowledge and engagement.

Complex Policies Are Useless
Unfortunately, just because a company has a cybersecurity policy does necessarily mean that employees will adhere to it. As the research firm Clutch found, almost half (47%) of employees don't pay much attention to their employers' cybersecurity policies.

Most employees (64%) use a company-approved device for work, but only 40% of them are supposed to follow rules governing the use of personal devices. Employees' use of their own devices to transact company business exposes those companies to all varieties of online risk. Virtually all employees (86%) check email and more than two-thirds (67%) access shared documents using their devices, many of which may lack the protection needed to shut out hackers and other Internet intruders.

A big reason why internal cybersecurity practices can be ineffective is that it's easy for staff to become overwhelmed by all the different rules and procedures they're supposed to follow. It all becomes too much to swallow. Maarten Van Horenbeeck, writing in the Harvard Business Review, opines that "some of these rules often don't work because they are simply too complex and drive people to take shortcuts that defeat their purpose," suggesting that education, user-friendliness, and simplification are the factors that drive success.

Thus, simply having a policy isn't enough. Companywide communication and careful training are needed and, in light of escalating security breaches, more necessary than ever. But the training needs to be easy to digest and follow up on.

Conclusion
Employees are typically on the front lines when cybersecurity incidents occur. However, many of them come into contact with their organization's cybersecurity policies primarily through reminders and restrictions. Those who don't know about them are caught off-guard and unprepared for attacks.

Employees follow cybersecurity best practices, even beyond the boundaries of their companies' policies. But when companies don't communicate their security policies in a way that connects with employees, or when their policies make everyday work processes more cumbersome or a hassle, employees are more likely to engage in risky behavior.

Companies need to recalibrate their cybersecurity approach from technology-based defenses to proactive steps that include processes and education. It takes laser focus, commitment, and an intelligent and forward-looking leadership suite to make cybersecurity a pillar of the corporate agenda. It also arms the IT department with the information they need to customize their security training and testing to individual employees. Such teamwork within the organization is the only way to change people's habits and make a meaningful difference in safeguarding organizations from against a rapidly evolving cyber-threat landscape.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jrpolan
100%
0%
jrpolan,
User Rank: Author
11/16/2018 | 12:46:11 PM
More than a cultural problem...
Having worked in and around cyber for 2 decades, I think many of the cultural problems around cybersecurity stem from one curious origin: when all is said and done, most corporate mgmt does not truly worry about long-lasting, unmitigable effects of cybercrime. In other words, they talk respecting cyber insecurity, but, at the end of the day, every bad thing that can happen can be fixed, insured, or marketed away.
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...