Vulnerabilities / Threats

11/16/2018
10:30 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

95% of Organizations Have Cultural Issues Around Cybersecurity

Very few organizations have yet baked cybersecurity into their corporate DNA, research finds.

These days, a sinister phenomenon called cybercrime-as-a-service is steadily growing, enabling malcontents with only basic technical skills to perpetrate massive IT disruption among companies of all sizes, everywhere. All they need to know is how to unleash firepower by hiring a cybercriminal or their services through one of the various market places in the Dark Web — the shady underworld where demand meets supply.

Some may consider cybersecurity to be the sole purview of a company's IT department, but that's wrong. It's essential for HR and IT to work hand-in-hand to train staff in online safety and write solid cybersecurity policies that collectively serve to entrench security in the corporate culture. 

Deeply Embedding Cybersecurity into the Organization's DNA
According to Information Systems Audit and Control Association's (ISACA) Cybersecurity Culture Report, 95% of organizations admit that their current cybersecurity environments are far from the ones they'd like to have. In a poll of some 4,800 business and technology professionals, a mere 5% of them say their organizations' cybersecurity culture is sufficient to safeguard the company against threats from both inside and outside. An overwhelming 87% of respondents think that establishing a stronger culture of cybersecurity would increase their organization's profitability or viability.

The CMMI Institute, an ISACA enterprise commissioned to write the report, defines a cybersecurity culture as one that incorporates cybersecurity into every aspect of an organization's operations. Rather than considering it as a cost item or afterthought, digitally savvy organizations deeply embed cybersecurity into their DNA and see it as differentiating factor against competition — simply because their services are more reliable, secure, and trustworthy than those of their rivals. While the need for a change might be obvious, it's often much easier said than done. Getting to this happy place demands a major rethinking of the status quo and a different corporate mindset.

ISACA found that in organizations where employees are highly engaged in cybersecurity, 92% of respondents say their executive leaders have and share an excellent knowledge of potential cybersecurity problems. But 42% say their companies don't have a cybersecurity culture management plan or policy. The study concludes that there's a positive correlation between companywide employee involvement and organizations' satisfaction with their cybersecurity culture. In fact, companies that feel they're far from their ideal security culture spend 19% of their cybersecurity budget on tools and training; the ones that are more attentive to and supportive of cybersecurity expend far more (43%) on tools and training to improve staff knowledge and engagement.

Complex Policies Are Useless
Unfortunately, just because a company has a cybersecurity policy does necessarily mean that employees will adhere to it. As the research firm Clutch found, almost half (47%) of employees don't pay much attention to their employers' cybersecurity policies.

Most employees (64%) use a company-approved device for work, but only 40% of them are supposed to follow rules governing the use of personal devices. Employees' use of their own devices to transact company business exposes those companies to all varieties of online risk. Virtually all employees (86%) check email and more than two-thirds (67%) access shared documents using their devices, many of which may lack the protection needed to shut out hackers and other Internet intruders.

A big reason why internal cybersecurity practices can be ineffective is that it's easy for staff to become overwhelmed by all the different rules and procedures they're supposed to follow. It all becomes too much to swallow. Maarten Van Horenbeeck, writing in the Harvard Business Review, opines that "some of these rules often don't work because they are simply too complex and drive people to take shortcuts that defeat their purpose," suggesting that education, user-friendliness, and simplification are the factors that drive success.

Thus, simply having a policy isn't enough. Companywide communication and careful training are needed and, in light of escalating security breaches, more necessary than ever. But the training needs to be easy to digest and follow up on.

Conclusion
Employees are typically on the front lines when cybersecurity incidents occur. However, many of them come into contact with their organization's cybersecurity policies primarily through reminders and restrictions. Those who don't know about them are caught off-guard and unprepared for attacks.

Employees follow cybersecurity best practices, even beyond the boundaries of their companies' policies. But when companies don't communicate their security policies in a way that connects with employees, or when their policies make everyday work processes more cumbersome or a hassle, employees are more likely to engage in risky behavior.

Companies need to recalibrate their cybersecurity approach from technology-based defenses to proactive steps that include processes and education. It takes laser focus, commitment, and an intelligent and forward-looking leadership suite to make cybersecurity a pillar of the corporate agenda. It also arms the IT department with the information they need to customize their security training and testing to individual employees. Such teamwork within the organization is the only way to change people's habits and make a meaningful difference in safeguarding organizations from against a rapidly evolving cyber-threat landscape.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jrpolan
50%
50%
jrpolan,
User Rank: Apprentice
11/16/2018 | 12:46:11 PM
More than a cultural problem...
Having worked in and around cyber for 2 decades, I think many of the cultural problems around cybersecurity stem from one curious origin: when all is said and done, most corporate mgmt does not truly worry about long-lasting, unmitigable effects of cybercrime. In other words, they talk respecting cyber insecurity, but, at the end of the day, every bad thing that can happen can be fixed, insured, or marketed away.
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-10008
PUBLISHED: 2018-12-10
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy san...