A poor company culture with respect to employee mobility can open the floodgates to security vulnerabilities. Organisations that fail to adjust to modern workplace needs, such as employees using their own devices at work, are far more likely to experience data breaches.
Employees today will work with whatever tools are at their disposal to make life easier, including unmanaged devices. Traditional security measures often prove ineffective in protecting data on these endpoints.
A modern security culture should enable users to work in the way they want, inside or outside the corporate network. Companies that impose arbitrary restrictions on devices end up forcing employees to work around the IT department.
‘The threat of data leakage via unmanaged devices is serious,’ says Eduard Meelhuysen, head of EMEA at Bitglass. ‘But having a culture of restricting staff access can actually make an organisation more vulnerable, not less.’
More than a quarter of UK businesses surveyed by SolarWinds pointed to inadequate end user security training as one of the main reasons they felt more vulnerable to cyber threats.
The same research found that 23% of UK organisations experienced misuse of company systems in 2015-16, further demonstrating the need to educate employees in the part they can play in avoiding damaging breaches.
‘Companies are attacked because of employees misusing company systems far more regularly than one would expect,’ says Destiny Bertucci, head geek at SolarWinds. ‘In 2016, a UK accountancy software firm was hit by an internal data breach as a result of a misuse of an employee login.
‘While this may not reflect the culture, it certainly highlights how employees that are unaware of security issues can wreak damage on an organisation, with 200 to 300 customers affected as a result of this misuse.’
Training and awareness
Creating a security culture within a business is all about training and awareness. CIOs and CISOs need to ensure that every employee in an organisation is aware of the potential threats they could face, whether it’s a phishing email, sharing passwords or using an insecure network.
Moreover, the cyber security landscape is always changing as hackers find new ways to access information, which is why creating a culture of consistent awareness of threats is so important.
One team meeting about cyber security is not enough to guarantee that employees understand how to keep data secure. Cyber attacks come in many different forms and are always evolving, so everyone needs to be kept up to date on what to look out for.
‘Training and educating employees to remain secure is key,’ says Graham Hunter, VP of skills certifications EMEA at CompTIA. ‘If staff understand that accessing valuable and confidential information on an insecure server could lead to someone else taking it, or that a weak password may be easy to remember but also leaves them highly vulnerable, they are far less likely to fall prey to attacks.
‘Of course, organisations must have the most up-to-date and strongest security systems in place, but this will be a wasted investment if you don’t also train your staff.’ A security culture is not something organisations do once – they must create a life cycle for it, investing in and growing it over time.
The primary goal of a security culture is to implement change and get a buy- in from those involved – with a clear understanding of the results that can be delivered if everyone follows best practice.
A strong security culture must define how security influences the products and services that the business provides. Employees must also clearly understand what they will get in return for their investment, even if it is just a more secure organisation to work for.
Creating the culture requires lots of different tools, including security awareness training, posters, CBT training, online gaming and open discussion forums. This ensures that employees get a thorough understanding of why they have to do the training, as well as the implications of a breach.
Up to speed
Most organisations do provide a level of training, but the methods used haven’t moved on with the technology. Classroom-based or CBT-based training alone is no longer adequate to meet the demands of a dynamic cyber security programme.
‘They provide no real metrics to monitor employee behaviour post-training,’ says Rashmi Knowles, chief security architect at RSA. ‘Attendance of a class does not show that the employee understands the implications of their actions.’
Phishing and social engineering are still the weapons of choice for cyber criminals and the entry point for a broad range of attacks. Traditional training is often boring, takes place out of context and runs on too long.
It can also encourage limited user interaction or motivation, or rely too heavily on the competency of the security team, offering limited measurement, feedback and opportunities for continuous improvement.
It is vital to create an environment where all employees are aware of the risk that hackers pose and, more importantly, where they feel comfortable reporting unusual or suspicious activity. ‘We need to configure and train the human firewall, which means making training and education relevant and engaging for normal human beings, so that employees truly understand the threat,’ says Knowles. ‘Likewise, this means getting employees to recognise and accept that they could be responsible for a major breach.’
So what internal processes need to be in place to ensure that this security culture can thrive? Firstly, organisations need to ensure that cyber security awareness and organisational security procedures are well established in the employee induction and training process.
Employees need to be made aware of the cyber risks they face in their role so they know what to look out for, but they also need to know what measures are in place to protect them if they make a mistake so they don’t feel under pressure to be the last line of defence.
Businesses also need to ensure that the right fail-safes are in place so that when those mistakes are made, the consequences can be avoided.
‘It is also important for security teams to ensure that their process includes a full forensic investigation following any malware incident contained in this way,’ says Fraser Kyne, EMEA CTO at Bromium. ‘This enables them to use those learnings to identify symptoms they can look for across the wider enterprise, to ensure a previous attack has not been successful and has been lurking under the radar for some time.’
Employee involvement is crucial for the success of an organisation’s security strategy. There is often a disconnect between what employees know they should do security-wise and what they actually do in practice.
This is one of the most challenging parts of training and education. In these cases, businesses need to make sure that it is clearly explained what is prohibited and why – using real-world examples of the repercussions of not following procedure.
What might seem harmless to an employee, like using an unsecure Wi-Fi network, could cause a business serious problems further down the line.
‘There’s no point just preaching security,’ says David Kennerley, director of threat research at Webroot. ‘It should be made fun. It’s also important to understand if the information given has been taken in. ‘This is where regular security tests play a vital role. Bad security practices should not be tolerated if appropriate training and guidance has been given.
At the same time, good security practices should be rewarded.’ The main challenge is to get staff to understand that information security is everybody’s responsibility, not just that of the IT team. Staff need to understand that the threats which may be levelled at them as individuals must be avoided to protect the company as a whole.
Organisations must engage staff, and that means going beyond PowerPoint presentations and tick-box exercises. A better approach is to sit down with new employees and induct them into the business’s cyber security culture.
Another key challenge is to make sure that partners take security just as seriously. Third-party organisations can be a major weak point in a cyber security chain, so the CIO or CISO should see it as their responsibility to ensure that partners receive the same training and communication about information security.
‘This way, they are just as aware of the dangers as your staff internally, and it’s less likely that there will be a breach,’ says Cath Goulding, head of information security at Nominet.
‘This area can be dangerous, as a would-be attacker could use your partners’ credentials to communicate with, and therefore access, your business’s data. Ensuring vigilance throughout the supply chain is key to preventing this.’