The Data Breach Investigation Report (DBIR) for 2017 (3) went into the detail of cybercrime and came out with some interesting information, including that over half of breaches involved malware and 66% of malware was installed from a malicious email attachment. Phishing remains, as ever, a popular choice for the cybercriminal, with 1 in 14 phished individuals falling for the trick. Phishing is successful because cybercriminals use our own behavior against us in a war of psychology. The report also pointed out that the password issue persists, as 80% of hacking is down to stolen or easily guessable passwords. So, how do we stifle the march of the cybercriminal? We have to approach it from a technological perspective but also a human one, too. As stated, cybercriminals feed off our own behavior and use it against us. They trick us into performing actions which seem legitimate, but aren’t. It is this aspect that technological solutions cannot resolve and which need to be bolstered by drawing in the human behavior aspect. This can be achieved by creating a ‘security culture’.
5 Ways To Create a Security Culture
So, just what is a security culture all about? In a nutshell, it is based on the adage “know they enemy”. If you know what you are up against, you can put procedures in place to protect yourself. A security culture is one that incorporates everyone who is involved in an organization – this may well extend to business associates, and in some circumstances, customers; certainly, some aspects of a security culture can include customers, for example, educating customers about phishing emails can be seen as part of the overall culture of security your organization develops. A security culture is helped by the use of security awareness training (4) and a positive attitude, driven from the top down, towards embracing security. Below is a list of the top 5 areas that you need to consider when building a culture of security in your organization.
Education, education, education Knowledge is power, and education on cybercrime and typical attack scenarios is a crucial part of any security awareness training program. Security needs to be fostered and fed, and so the ethos of training should be done using a top-down approach. Management needs to be the advocates for the training, themselves taking part in its development as a company policy. The education around security needs to be extended to everyone that could pose a risk to your organization – this includes all staff, contractors, freelancers, consultants, third parties (such as suppliers), and even customers. Your company needs you! Security is everyone’s problem. Any one of us can become the weakest link in an organization’s cybersecurity defenses; the finger that clicks on the malware package, the person who reveals their password to what seems like a legitimate site. A holistic view needs to be taken where everyone recognizes the part they play in the culture of the company and the impact they personally can have on security. Understanding security issues cuts across the entire organization, from having a clean-desk policy through to developers and DevOps understanding the importance of secure coding and security logs. Security bootcamp Security awareness training and simulation exercises give the vital first-hand experience needed to learn and understand where the risks lie. A security bootcamp can be created that utilizes a mix of classroom-based formal training, with real-life simulation exercises that train people to spot security problems. Security bootcamps should cover all aspects of security from phishing and online security to desktop security to physical security. Phishing simulation should be done regularly, but also randomly, to create more natural scenarios. People are your best asset, and they can also be one of the greatest security assets too. The rewards of a job well done Security awareness training and the culture it instills are measurable. If you incorporate quizzes and other measurement activities, make them fun and offer rewards for a job well done. Create a system that rewards and encourages security best practices, but conversely, don’t use poor outcomes by an individual as punishment. Instead, focus in on how to improve a program – after all, we are all different, and different styles of learning suit different types of people. Security mindfulness Employees should feel empowered after receiving the training and knowledge to help play their part in preventing a security breach. A security culture is a state of mind, and if done correctly, can become part of the way of life at an organization, sitting alongside the general day-to-day business. But it should always be remembered that a culture of security is part of an ongoing process. Cybercriminals rarely sit on their laurels. They develop new and more sophisticated techniques to trick us. All of the elements of a security culture need to be cultivated as part of an ongoing process. Training should be regularly repeated, whilst keeping the random aspect of phishing simulations. Becoming security mindful will make the act of security normalized.
Making 2018 The Year Of Security Culture
It is likely that 2018 will see as many, if not more, cyber attacks against organizations of all sizes and types. Many of these attacks will begin with the manipulation of our own behavior by the cybercriminal. To address this, we must fight fire with fire, and build defenses using our greatest asset – our people. A culture of security is about addressing insecure behavior and encouraging secure thinking. In doing so, you can build an encompassing ethos that will protect against some of the most common attack methods like phishing, potentially saving your company money, reputation, and ensuring that compliance requirements are met.
Sources:
Market Watch, Equifax Share Data: https://www.marketwatch.com/investing/stock/efx/charts Ponemon Institute and IBM, Cost of Data Breach Study: https://www.ibm.com/security/data-breach Verizon, 2017 Data Breach Investigation Report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
Infosec Institute, Security Awareness — Definition, History & Types