Organizations normally understand that employees are key to improving information security, but often focus on awareness of policies and procedures. Chantelle van Wyk explains why this approach is ineffective and looks at what else organizations should be doing to strengthen the information security culture.
With the marked increase in cyber attacks and ever tighter legislation around data privacy it's imperative that organizations prioritise security activities and interventions. Typically, organizations tend to focus on awareness of security but fail to change behaviour / behavior. Unless the behaviour of every individual in the group is modified, the interventions will not reduce the risk of a security incident.
It is important to have the right policies and procedures in place, but awareness of protocols is not enough. In order to really combat the risks of a security breach in your organization, you have to go beyond awareness to really impacting conscious behaviour. This year needs to be the year of working towards a security culture.
A security culture is an organizational culture where not only are all the right security protocols in place, but the correct behaviour and response to security becomes subconscious, instinctive and effortless.
You have to start with building awareness of why security is important and how to reduce risk. Then you move onto changing behaviour in mitigation of risk and in the event of an incident. There are elements of everyone's behaviour - be it professional or social, public or private - that must change. This is all about individuals doing things right the first time. Ultimately, you want to achieve a strong culture of security that becomes a fundamental part of your organizational behaviour.
Some of the scenarios that occur in the absence of a security culture include sharing passwords or writing them down, leaving your computer unlocked while you are away from your desk, letting guests wander around the office unaccompanied, leaving confidential documents in a public place, using weak passwords to access company systems, storing confidential information on a personal device, connecting to unsecured wifi etc etc. Unfortunately, the list is long and the potential for exploitation is high.
No matter how well documented your procedures or how clear/available your security policies, if you have a weak security culture, your organization is vulnerable.
However, it's not just about passwords and being safe online, data privacy legislation and regulation defines an organization's overall posture towards data and client information - how it is gathered, stored and used. Employees need to understand what the relevant data privacy legislation and regulation means for them, and how they need to act to ensure the company remains compliant.
Joint responsibility
In today's world, no organization is going to be able to operate without being both physically and digitally secure. Organizations have both legislative and contractual obligations around the security of products, data and employees. If these obligations are not met, the organization will suffer reputational and financial losses. If an employer loses the trust of its client or market, the impact will also be felt by the employees. To that extent, security isn't just the responsibility of the organization but of all of its stakeholders as well.
There are also benefits to the employee on a personal level when working within a security culture, for example, a sense of physical safety while working, and a sense of digital safety. If you work for an organization that takes security seriously, you know your personal information is safe and you are more aware of how important it is to keep your personal information safe online.
A strong security culture promotes stability, trust, increased revenue potential and making the organization better able to reward staff.
The author
Chantelle van Wyk is the Global IT and Security Manager for Striata. She previously held key security positions at organizations such as KPMG, Rackspace and Symantec. Chantelle has her Masters in Information Security and a B.SC. in Information Technology. She is a Certified Ethical Hacker, a Certified Intrusion Analyst and holds a certification in forensic reverse malware engineering. She is a Cisco certified network professional and a CompTIA certified security administrator.