3 Tips on How to Create a Cyber Security Culture at Work

This October marks another iteration of National Cyber Security Awareness Month (NCSAM), a program designed to engage both the public and private sectors on good security practices via activities that encourage awareness and resiliency in the event of a national cyber incident. Sponsored by the Department of Homeland Security (DHS) in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, NCSAM emphasizes our shared responsibility in strengthening the cyber security posture of our workplaces, homes and digital lives. NCSAM 2015 officially kicked off last week with the fifth anniversary of STOP. THINK. CONNECT. – a campaign that seeks to provide users with a unified, guiding principle that they can follow to stay safe online. This week, NCSCAM focuses on the theme of creating a culture of cyber security at work. As we all know, computer criminals pose a serious threat to businesses today in that they can steal corporate intellectual property, as was the case with last year's Sony hack; compromise employees' personal and medical health information, the latter of which is increasingly valuable on underground web markets; and overall depreciate an organization's reputation. These external actors may also exploit bad security decisions on the part of internal employees, the effects of which may be amplified by poor or incomplete bring your own device (BYOD) guidelines or policies designed to protect Internet of Things (IoT) devices. In accordance with NCSAM, it is everyone's responsibility to help protect his/her organization against a breach or targeted attack. Here are a few tips on how you can help create a culture of cyber security at work:

Tip #1: Focus on Security Basics

People are most willing to embrace security if the concepts and technology are quick, hassle-free, and easy-to-understand. That reasoning helps to explain why a focus on security basics can go a long way.

"By embracing the basics of security hygiene – two-factor authentication (2FA), password managers, and keeping devices and laptops updated – we’re teaching users that the security equivalent of simply washing your hands is simple, effective, and easy to do," explains Mike Hanley, Program Manager, R&D at Duo Security. "These basics are proven to defeat the most common attacks and prevent data breaches effectively…. While these methods don’t always get the limelight that threat-focused measures receive, they are cost-effective and simple, and they help to reduce the strain on security and IT resources."

Cheryl Biswas, InfoSec I.T. Coordinator and Senior Writer at JIG Technologies, agrees that security, if recognized as an approachable process and ongoing commitment, can help safeguard against the dangers of what she calls Shadow IT and Shadow Data. "Things get plugged in that shouldn’t, whereas data gets handled and exposed that shouldn’t," Biswas clarifies. "To counter these occurrences, I would recommend that security personnel lay the following keystones in place and build around them:

• Passwords: These really are the keys to your kingdom. Have a good password policy in place, teach staff how and why to use it, and do routine checks to make sure that all your employees are on the same page.
• Patches: It is crucial that businesses of every size have a patch update program in place to ensure that all software and systems are updated regularly that emergency fixes can be implemented as need.
• Get a baseline in place: While you cannot expect to catch everything, if you know what your norm is, then you have an advantage when something deviates, and you can respond decisively. That’s security in action.
• Limit and enforce access: Not everyone needs access to everything, all the time.  The fact is, the more exposure your data has, the more at risk it is. You can, and you must, put rules in place that allow most users access to only what they need. It’s good to request permission because that enforces a necessary system of checks and balances that underpin good security.
• Inventory and monitor: Know what you have, tag it, track it, and update what gets added or removed to the system. This will help ensure you know what your baseline is for monitoring purposes. Additionally, it will help you reign in control of your organization's BYOD culture, should one exist."

Paul Ghering, Infrastructure Analyst at Belden, states that security personnel cannot overemphasize the importance of a strong BYOD culture: "By implementing BYOD policies that simply do not trust what is outside the datacenter, we can reduce the attack surface for the corporate data and services considerably. Also, management and overview would greatly improve, and employees could use whatever device they have access to or need to do their work.

Tip #2: Invest in Employee Awareness Training

When it comes to strengthening an organization's security posture, infosec personnel by themselves can only do so much, for they are not the only ones interacting with corporate networks.

"Employees make decisions every day that negatively affects their business’s security," explains Wolfgang Goerlich, Cyber Security Strategist at CBI. "As a result, we have known for a while that, to protect organizations, employees need online street smarts. However, the problem is that some in the industry treat employee awareness as a training concern or one-time activity. It is not. It is an ongoing cultural problem."

With this in mind, it is important to break up employees' training into separate units that each address individual security topics. For example, as suggested by Adrian Sanabria, Senior Security Analyst at 451 Research, organizations should spend some time educating users on how to spot suspicious links and how they can use tools such as URLQuery.net to analyze potential threats. "Safe URL tips can be easily shared through a monthly internal newsletter," Sanabria observes. "We can complement these suggestions by publishing a list of free resources like URLQuery onto an internal intranet site for free use by employees. Sharing the links in this case doesn't go far enough; it's best to include instructions on using them properly."

Image

Matt Pascucci similarly recognizes the value of engaging users directly into a security awareness training program. "We need to create competitions, newsletters and other ways for users to participate in the awareness training," Pascucci recommends. "Just like anything else, if it's not going to grab their attention it won't stick in their minds. Find creative ways to get this information out. Either via funny newsletters or competitions, but the more you can capture the users attention the better chance you have of the information sinking in." Pascucci goes on to explain that training exercises should be complemented with periodic tests designed to evaluate user awareness and to direct training to different areas of focus.

Tip #3: Encourage the Senior Leadership to Embody Organizational Security

Training employees in good security practices goes only so far, however, a fact with which Tony Martin-Vegue, blogger and host of The Standard Deviant Security Podcast readily appreciates:

"Companies can put in substantial effort and expend valuable resources in strengthening their security posture, but the truth is they will fail if there is not a strong and consistent tone delivered from the top," Martin-Vegue explains. "It’s very important for an organization’s senior leadership to be fully supportive and an enthusiastic advocate of security goals and objectives."

Executive leadership is integral for companies that opt to implement a "clean desk" policy, under which screens must be locked when unattended and laptops must be secured via cable locks. They essentially set the example in choosing to follow these secure behaviors; if they resist, employees do not have any clear incentive to comply, either. Business leaders who emphasize risk analysis can also contribute to a positive security culture at work: "Management that demands a rigorous and defensible risk analysis are able to make informed and sound decisions about security investments," states Martin-Vegue. "In the long run, this increases the security posture of the firm and has the nice byproduct of giving the security team a reputation of being credible. Gone are the days where saying 'This is High Risk!' is good enough to get budget approved. Demand quantitative analysis that demonstrates a solid return on security investment."

Conclusion

An organizational cyber security culture depends not solely on the work of one group but instead on the contributions of all personnel. By delegating security personnel to focus on security basics, employees to engage in interactive security awareness training, and executives to provide a consistent pro-security tone, you can create a holistic cyber security culture in which everyone has a stake. _{Title image courtesy of ShutterStock}