These days, a sinister phenomenon called cybercrime-as-a-service is steadily growing, enabling malcontents with only basic technical skills to perpetrate massive IT disruption among companies of all sizes, everywhere. All they need to know is how to unleash firepower by hiring a cybercriminal or their services through one of the various market places in the Dark Web — the shady underworld where demand meets supply.
Some may consider cybersecurity to be the sole purview of a company's IT department, but that's wrong. It's essential for HR and IT to work hand-in-hand to train staff in online safety and write solid cybersecurity policies that collectively serve to entrench security in the corporate culture.
Deeply Embedding Cybersecurity into the Organization's DNA
According to Information Systems Audit and Control Association's (ISACA) Cybersecurity Culture Report, 95% of organizations admit that their current cybersecurity environments are far from the ones they'd like to have. In a poll of some 4,800 business and technology professionals, a mere 5% of them say their organizations' cybersecurity culture is sufficient to safeguard the company against threats from both inside and outside. An overwhelming 87% of respondents think that establishing a stronger culture of cybersecurity would increase their organization's profitability or viability.
The CMMI Institute, an ISACA enterprise commissioned to write the report, defines a cybersecurity culture as one that incorporates cybersecurity into every aspect of an organization's operations. Rather than considering it as a cost item or afterthought, digitally savvy organizations deeply embed cybersecurity into their DNA and see it as differentiating factor against competition — simply because their services are more reliable, secure, and trustworthy than those of their rivals. While the need for a change might be obvious, it's often much easier said than done. Getting to this happy place demands a major rethinking of the status quo and a different corporate mindset.
ISACA found that in organizations where employees are highly engaged in cybersecurity, 92% of respondents say their executive leaders have and share an excellent knowledge of potential cybersecurity problems. But 42% say their companies don't have a cybersecurity culture management plan or policy. The study concludes that there's a positive correlation between companywide employee involvement and organizations' satisfaction with their cybersecurity culture. In fact, companies that feel they're far from their ideal security culture spend 19% of their cybersecurity budget on tools and training; the ones that are more attentive to and supportive of cybersecurity expend far more (43%) on tools and training to improve staff knowledge and engagement.
Complex Policies Are Useless
Unfortunately, just because a company has a cybersecurity policy does necessarily mean that employees will adhere to it. As the research firm Clutch found, almost half (47%) of employees don't pay much attention to their employers' cybersecurity policies.
Most employees (64%) use a company-approved device for work, but only 40% of them are supposed to follow rules governing the use of personal devices. Employees' use of their own devices to transact company business exposes those companies to all varieties of online risk. Virtually all employees (86%) check email and more than two-thirds (67%) access shared documents using their devices, many of which may lack the protection needed to shut out hackers and other Internet intruders.
A big reason why internal cybersecurity practices can be ineffective is that it's easy for staff to become overwhelmed by all the different rules and procedures they're supposed to follow. It all becomes too much to swallow. Maarten Van Horenbeeck, writing in the Harvard Business Review, opines that "some of these rules often don't work because they are simply too complex and drive people to take shortcuts that defeat their purpose," suggesting that education, user-friendliness, and simplification are the factors that drive success.
Thus, simply having a policy isn't enough. Companywide communication and careful training are needed and, in light of escalating security breaches, more necessary than ever. But the training needs to be easy to digest and follow up on.
Employees are typically on the front lines when cybersecurity incidents occur. However, many of them come into contact with their organization's cybersecurity policies primarily through reminders and restrictions. Those who don't know about them are caught off-guard and unprepared for attacks.
Employees follow cybersecurity best practices, even beyond the boundaries of their companies' policies. But when companies don't communicate their security policies in a way that connects with employees, or when their policies make everyday work processes more cumbersome or a hassle, employees are more likely to engage in risky behavior.
Companies need to recalibrate their cybersecurity approach from technology-based defenses to proactive steps that include processes and education. It takes laser focus, commitment, and an intelligent and forward-looking leadership suite to make cybersecurity a pillar of the corporate agenda. It also arms the IT department with the information they need to customize their security training and testing to individual employees. Such teamwork within the organization is the only way to change people's habits and make a meaningful difference in safeguarding organizations from against a rapidly evolving cyber-threat landscape.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.