If we take a look at the last few years, the issue of cyber security has undergone a colossal change. What was once considered solely a job of the IT operations department and was casually discussed by the top management has now gained primacy in the higher echelons of the organizations. The Board members are now actively involved in the decision making that not only reviews the state of cyber posture of their organizations but is also aimed to enhance it further, make it robust through latest technologies and consolidate it through high budgetary allocation to attract highly skilled manpower. The reason behind such a tectonic shift in the paradigm of cyber security is the breaches and intrusions that have occurred in last few years and caused huge losses to big firms Anthem,Target and now the Yahoo.
While such a change is highly appreciable, it is just a stepping stone to what is actually required. Given the present state of cyberspace, no longer can organizations afford their departments to work in silos when it comes to cyber security. What is required is a cultural shift from the bottom to the top of the organizational pyramid covering every nook and corner of all echelons and stratums wherein every individual employee of the organization maintains an optimum cyber hygiene. The maintenance of cyber hygiene is not just the duty of the top level decision makers or the InfoSec team of the organization but of every individual in every department. It is the job of every employee from the CEO to the newly hired apprentice to maintain an optimum security hygiene and develop a level of vigilance and awareness. It is the cumulative impact of individual cyber hygiene that can effectively deter and prevent the belligerent and bellicose cyber criminals from raiding the organizational networks and stealing the data. It is the shared level of vigilance and cyber awareness on which the organization’s cybersecurity posture is dependent.
Inculcating Security in work culture is more of an Art than Science. By simply disbursing guidelines to the employees won’t bring the desired cultural shift. The focus has to be more on changing the mindset of the employees. So how do we change the mindset? Following are few strategies that would make an impact:
- Situational Awareness: One can’t solve a problem until one knows what the problem is. To understand the evolving cybersecurity threat landscape, employees first need to be aware of the threat, attack methods, and the types of cyber attacks faced by the organization. To build a “Security First” mindset, Security teams should share non-sensitive information about the current cyber incidents impacting company’s assets, employees and customers and make them stakeholder in the culture transformation.
- Explaining the costs: A very good strategy to explain the costs that will be borne by the organization as a result of a data breach. Employees need to understand how one wrong click of theirs can impose significant costs on the organization. This can potentially bring a sense of responsibility in the employees. Moreover Cyber hygiene should be used as a one of the parameter for judging overall performance of the employees.
- What gets measured gets managed: This is an old adage and quite true as well. Perform surprise checks on the employees and assess the maturity of the program by measuring the results. Empower your ethical hacking team to conduct phishing attacks on the employees. That would give you a measure how much employees care about cybersecurity and pay attention to details before clicking on a URL.
- Grooming the young: An old saying ‘Catch’em Young’ says you should groom the young to bring a cultural shift. The young adapt easily and do not pose much resistance. Sow changes today and you will reap benefits tomorrow.
- The Broken Window Approach: First introduced in 1982 by James Q. Wilson and George L. Kelling, this theory focuses on paying attention to petty small crimes and ensuring accountability for them. As per this theory creating an atmosphere of law and order helps prevent bigger crimes from happening.
- Lead by Example: Last but not the least, organization’s leaders must walk their talk. They should emphasize on the importance of cyber hygiene during their meetings and town halls and must follow cyber best practices themselves.
Inculcate security today for it is an intangible thing with tangible benefits. Given the number of threats and threat actors in today’s cyberspace, security culture derived from an optimum cyber hygiene that runs from the Break Room to the Board Room assumes utmost significance.