Security in Numbers: Building a Healthy Security Culture Could Be the Difference Between Success and Failure

by Brianna Groves

Extra! Extra! A headline about a business that has been hacked, breached or exploited is all too common. Cases involving exposure of sensitive, controlled data no longer send the same shockwave of disbelief they did a few years ago. Furthermore, when exploits are publicized, there is a tendency to assume it is a result of an organizational breach.

But what about other components that factor into the security, or vulnerability, of a company’s data? Filtering, patches, security updates and encryption are well-known measures to businesses of all sizes, but often the biggest threat of all to your IT security are – your employees.

Various reports show that slightly more than half of all data breaches were a result of information being “disclosed in error” by human action. We all have a duty to protect our assets, and employees should be seen as the first line of defense in preventing mistakes in the workplace.

So how do we ensure that every person is following proper cybersecurity hygiene? How do employees know what is expected of them? What about employees who don’t believe their actions put their company’s data at risk?

I sat down with a CISO to discuss the role human error plays, mitigation techniques, security trends and best practices that can transform employees into security-savvy heroes.

Q: It is a well-known fact that businesses spend millions of dollars a year on sophisticated IT security, but a major vulnerability to a company’s security remains to be humans. What types of security attacks are we as people prone to attracting?

Humans are the most vulnerable aspect in any security ecosystem, we are prone to any attack that involves us taking advantage of reflexive and quick thinking.  One interesting book on the topic is Thinking Fast and Slow by Daniel Kahneman. It should be essential reading for anyone in any field of risk.  In the book, he makes the distinction between 2 types of human thought.

The first is a fast, instinctive and emotional system in which we probably spend the majority of our time.  In this mode, we are very susceptible to social engineering.

The second is a is slower, more deliberate, and more logical way of thinking in which we are more aware of risks, and more prone to think things over.  I think a major role of any security program is to set the tone, and encourage employees to remain in the second, more deliberate mode of thought when they are in situations that may expose them to risk.

Q: There are likely some employees who do not feel that security is their responsibility depending on the type of work they do. Would you say that all employees hold a level of accountability with keeping the workplace safe and information protected?

Absolutely.  While there is a stratification of security responsibility ranging from the security professionals to the workers who may not even touch a computer, security must be done as a herd.  And it must be done, over and over again.

Q: What are some of the security best practices that every employee should be aware of?

1. Do not reuse passwords: If you are using a password on one site, don’t use the same one for another site, if any one of the sites gets breached, your password is often added to a dictionary that a cracker can use to compromise your other accounts.
2. Stop trying to have memorable passwords: I would suggest using a secure password generator and locker like LastPass.
3. Pay attention when reading your inbox: Going back to the first question, when we are in the fast, instinctive, and emotional method of thinking when checking our emails, we will be far more prone to react to phishing emails in the way the phishers want us to react.  Be diligent about email and treat it as any other important aspect of your job.
4. Do all the security training assigned by your sec ops team: We don't assign security training because we want to waste your time. It's proven that keeping these issues top of mind goes a long way to mitigating risk.
5. Remember mobile devices: Bad actors aren't just targeting computers now, they have various methods of exploiting mobile devices including smishing, the text message version of phishing.

Q: How do we ensure that employees know what their responsibilities are in preventing security incidents?

Training is the most important aspect of ecosystem security. It is not enough for an organization to expect employees to act in a certain way, they have to be told, and shown how to act. Security training is the single most important factor in establishing a protected culture within an organization.

Q: It’s fair to say cybersecurity is not the only type of workplace security to consider here, right? Physical security is a critical component in protecting a company’s data. What types of threats should employees be on the lookout for?

Employees should be on the lookout for environmental threats as well.  Preemptively addressing environmental risks such as knowing where the emergency exits are and keeping them clear are as important as knowing what the signs of fire are.  In every aspect of security, it is important to remember that human safety is the first priority.

Q: Do you find that most organizations and agencies employ a workforce that is woefully undertrained in cybersecurity?

This is a tough one to answer. I am not sure ‘woefully’ is the correct word, but I do think that the majority of employees are undertrained.  A few years ago, I would have said ‘woefully undertrained’ but I think there has been a lot of recognition of cybersecurity and cyber risk due to high profile breaches.  As a result, I see a lot more emphasis on training employees across the entire organization.

Q: What are some common exploits you’ve seen in the past around office safety?

Generally, I think weak access controls are very common. I would say in a lot of smaller and medium size businesses, where major cyber assets may be in a closet, or on an employee’s workstation, the risk of an intruder or thief is escalated. Employing stronger security around entering a facility greatly increases the security of critical assets.

Q: Is there a standard “flavor” to office security? In other words, what is best practice? Would the ideal company and its employees’ security practices vary depending on office type?

Maybe, depending on the criticality of the product. For instance, more critical operations may employ man traps, beefed up surveillance, guards, and other physical deterrents. I would say that the depth and coverage of protection would change, but that a locked or manned door for a lower risk organization is the same ‘flavor’ as a man trap in a high-risk organization.

Q: In our work anywhere, anytime era, management over the budding norm of BYOD is becoming increasingly difficult. What are the concerns with personal devices in the workplace and how are we working to mitigate these challenges?

BYOD is a major concern. There are lots of solutions for mobile device management (MDM) and mobile application management (MAM) that may be less intrusive to employees than they traditionally were.

Also, when thinking of a mobile solution, prioritize administrative requirements for security features that come native on phones, such as a certain type of authentication to the phone. Maybe you don’t trust biometrics as much as a 6-digit pin, so enforce 6-digit pins, and require that employees not use biometrics if they have your data on their phones.

Another recommendation would be to closely monitor technologies and be willing to restrict the use of certain mobile devices. If there is no viable solution for a certain device, don’t allow it within your organization. Give employees a list of devices they can use that conform to your program and let them know that having your information on any other device is a violation of policy.

Q: What are the biggest risks?

The easy answer is people. People are the hardest thing to control within an organization.They are constantly adding unauthorized devices, clicking on things they shouldn’t, and connecting your things to things they shouldn’t.

If you want a more techie answer, I would say unpatched systems are a huge risk from two perspectives. One perspective is the risk of bringing down a business system with an untested, or undertested patch.

The other perspective is having a vulnerable system out there that may be a major factor in a security incident.  It is a tough problem because you have to balance the requirements of the business with the risk of ongoing vulnerabilities on a business system. The savvy practitioner should have a scale for the time period and testing rigor of patches that scales with both the criticality of the vulnerability, and the criticality of the system.

Whether you’re a cyber-risk professional, or a salesperson, security culture requires that everyone in the organization is all in. Building a security community in the workplace brings everyone together against the common problem and ensures everyone is mindful of the same goal. Awareness is an ongoing action and crises are going to happen. Grow your culture with those teachable moments and practice continuous security trainings; your data depends on it.