Forming a culture of security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nhbr.com/September-4-2015/Forming-a-culture-of-security/


It seems we can’t go more than 24 hours without hearing about the latest,
greatest data breach that affects millions. Recently, of course, we had the
federal government’s Office of Personnel Management breach – exposing 30
years and at least 10 million current and former government employees’
personal data.

Breaches like this tend to inspire panic and despair in small and medium
businesses. After all, if the “bad guys” can hack into the federal
government, Home Depot and Target, what hope do small and medium-sized
businesses have? Naturally, most small- and medium-sized businesses have
neither the technical nor financial wherewithal to fight a sustained battle
against full-time hackers with nefarious intent.

However, defeatism is not an option. We’ve got to reframe the conversation
– rather than looking down despondently and itemizing all of the things
that we can’t do, let’s talk about some of the things that we can do.

First, let’s agree that small businesses do indeed have advantages over
larger businesses. Their size makes them inherently more nimble, and the
cultural impact of leadership can be immense and immediate.

Leadership in organizations with under 300 employees can have a lasting
impact on the company’s culture of security, but the message needs clarity,
urgency and authenticity to resonate with staff. Paying lip service to
security is transparent and counter-productive. Frankly, if the CEO and
his/her direct reports don’t believe that security really matters, any
sustainable security program is dead on arrival anyway.

Getting non-technical executives to understand and buy in to a security
culture requires framing the conversation in the context of the brand and
the potential brand damage from a breach.

Executives know that their brand has value, and a security breach degrades
that value with concrete financial implications. Given the inherently
limited resources in smaller businesses, an ounce of prevention is worth a
pound of cure. We, as business and technology leaders, need to help the
executive team connect the value of their brand with the specific "ounce of
prevention" that lays the foundation of a security culture.

If the C-suite buys in on creating and maintaining a culture of security,
the immediate next steps are clear:

• Write and enforce an acceptable use policy: All employees need to
understand the ground rules for using company computers. Are they allowed
to use Facebook? Can they access personal e-mail while on the network? The
acceptable use agreement spells out what is and isn’t permissible, and
speaks to consequences for non-compliance with the policy.

The policy should be updated annually, and all employees must review and
acknowledge the policy upon modification. Most importantly - these rules
apply to all employees - including the C-suite. If the C-suite doesn't
think the rules apply to them, any attempts to instill a lasting security
culture won't work.

• Document and comply with your own internal information security policy:
What steps has your organization taken to maintain and enhance your
security posture? How are you protecting your customer and employee data?
The information security policy is the document that sets your internal
standard for security – for example, it might say that “all employees
receive security training twice per year.”

It's then up to leadership to ensure the policy is complied with. Simply
going through the exercise of creating this policy will force your
organization to pose, and answer, tough questions.

• Train your people. Repeat. Repeat again: It’s well-documented that the
least expensive tactic to improve security is to train your staff. Given
the sophistication of spear-phishing these days, users are often tricked
into letting “the bad guys” into your network by clicking on a hyper-link
in an e-mail.

Has your organization conducted formal security training with the staff?
Did you repeat it, institutionalize it, and embed it in your culture?

• Adopt a layered security approach: No single technology can provide
adequate security for your entire network and all your data. Speak to
knowledgeable resources to understand your current tools and how they might
be improved. It starts with culture, but tools, technologies, and expertise
matter, too.

These are simply the tactics to get the ball rolling. Sustainable change
will only come with lasting commitment, but cultural norms tend to take
hold rapidly with repeated emphasis and support from senior leadership.
Small- and medium-sized businesses should take advantage of their naturally
nimble size to drive the security message home and create a company culture
of security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!