One of the more common issuse that we see these days is people self-diagnosing the state of their organizations’ cybersecurity posture. Rather than leaving this responsibility to trained professionals, they do some research online and think that it means they know how to fix them. It's so similar to how doctors must feel when patients come to them with a print out from WebMD saying they're certain they have a specific illness. Similarly, this approach all too often leads to addressing cybersecurity in a fragmented way rather than strategically addressing things holistically.
However, the reality is that cybersecurity issues need to be treated as seriously as health concerns. When someone visits a doctor, they trust that the physician knows what they’re doing; rarely do patients diagnose themselves and choose what health issues the physician treats. It’s okay to get a second opinion from another healthcare professional, but you wouldn’t really wouldn't diagnose things yourself. Similarly, the same approach should be applied to cybersecurity. Key information could be missed and a dangerous security condition could spread throughout your system (network) as a result.
This is one of the reasons it's important to develop and nurture a “cyber-aware” culture within your organization. However, creating this culture requires approaching IT security at the organizational level — it starts with the leadership and then needs to be promoted down to the rest of the employees.
Simply put, leadership plays one of the most critical roles in building a cyber-aware culture. When promoting it to employees, the message on the importance of cybersecurity programs and best practices needs to come from the top. This requires buy-in from every leader within your organization; they should promote and nurture a culture that emphasizes cybersecurity safety, policies, procedures, and related initiatives.
The effects of this cultural shift create an advantageous environment for the development of new cybersecurity policies and procedures. These types of documents and strategies create processes and solutions for identifying and responding to threats before they become major issues.
Policies and Procedures
There are several policies and procedures that should be implemented within every organization regardless of size, including:
- Acceptable Use Policy (AUP);
- Business Continuity (BC) Plan;
- Computer Use Policy (CUP);
- Disaster Recovery (DR) Plan;
- Email Policy;
- Network Use Policy (NUP);
- Password Policy; and
- Policy of Least Privilege (POLP).
Another important step in building a cyber-aware culture is to improve the physical security of your employees and your organization’s IT assets as well. Physical security breaches are a major concern for small and medium-sized businesses as well as large organizations and corporations.
A few of the ways to improve your organization’s physical IT devices and equipment include:
- Securing the server room so as to only provide access to those who actually need it. This can be done through the use of security guards, approved individual access cards, or even biometric data.
- Providing either a laptop cable lock to employees to secure their devices or a space in which to safely store and lock up devices that are not taken home by employees at the end of the workday.
- Implementing a comprehensive security and/or surveillance system for your office.
- Putting personnel safety measures in place to protect employees in the event of a physical emergency that could cause loss of life or injury, such as a fire, flood, burglary, or another natural or man-made disaster.
Take Cybersecurity Concerns Seriously
People are crucial to any cybersecurity program. After all, employees are an organization’s greatest security weakness. However, they also can be an asset when they are informed about the dangers of cybersecurity threats. To help facilitate this knowledge, businesses must educate and instill best practices in employees to reduce their apathy and increase their concern about growing cyber threats such as phishing and CEO fraud.
The goal of this type of instruction, known as cybersecurity awareness training, is to get employees to think twice before they click on any links. Increasing employee knowledge and empathy about these cyber threats and the impact they can have contributes to creating a cyber-aware culture within your organization.
Cyber Liability Insurance
At its core, cyber liability insurance is an important investment for business owners. Because it’s impossible to prevent 100% of all cyber attacks, this insurance serves as a “security blanket” that helps businesses weather the storm in the inevitable event of a network security failure or data breach.
Cyber liability insurance covers a host of first-party and third-party expenses, such as:
- Notifying customers of the breach;
- Offering clients credit monitoring services;
- Resulting business interruptions;
- Hiring forensic investigators;
- Public relations and crisis management costs to mitigate damage to your brand;
- Legal defense;
- Damages relating to claims; and
- Regulatory defense costs.
Access Control Management
The purpose of access control is to specify who can or cannot view or use physical or digital resources that exist within your organization’s computing environment. This can include limiting access to physical assets, such as the server room or other IT-specific assets, or logical assets like system data and computer networks.
This approach to security can help to increase the safety of your organization and its data. It helps to mitigate the IT security risks associated with allowing too much access for users who don’t need it to perform their jobs as well as the financial risks associated with any data breaches that could result from improper use or access.
Compliance is an important issue for every business—and the regulating organizations or legislation that set the standards vary depending on an organization’s industry. Various aspects of cybersecurity fall within the responsibilities of multiple government agencies. Leaders need to be aware of what their industry’s regulations are and ensure that they are compliant with those requirements.
Some of these regulatory bodies and pieces of legislation include:
- U.S. Securities Exchange Commission
- Financial Industry Regulatory Authority
- Health Insurance Portability and Accountability Act
- U.S. Department of Defense (DOD)
You can read more about this and other cybersecurity areas of concern in our eBook “The CFO’s Guide to Cybersecurity”.
What are your thoughts on building a “cyber-aware” culture at your organization? Is this critical initiative part of your plan for this year? Share your thoughts and experiences in the comments section below or send me an email if you'd like to chat with me about this topic in more detail.