It seems we can’t go more than 24 hours without hearing about the latest and greatest data breach affecting millions. These headlines are worrisome and has lead to many sleepless nights for business leaders at small and medium-sized businesses. The good news is business leaders can have an immediate and lasting impact on the company culture—but it needs priority and authenticity to resonate with staff. If the c-suite is on board with creating a culture of security, the next steps are pretty straightforward:
Write and enforce an Acceptable Use Policy.
All employees should know the ground rules for using company computers. Can they access work email from their home PC? Can they access personal email while on the network? An Acceptable Use agreement spells out what is and isn’t permissible, and speaks to consequences – up to and including termination – for non-compliance with the policy. The policy should be updated at least annually, and all employees must review and acknowledge the policy.
Document and comply with your internal Information Security Policy.
Which steps has your organization taken to maintain and enhance your security posture? How are you protecting your customer and employee data? The Information Security Policy (ISP) is the document that sets your internal standard for security – for example, it might say that “all employees receive security training twice per year.” It’s then up to leadership to make sure that this policy is indeed complied with. Simply going through the exercise of creating this policy will force your organization to pose, and answer, tough questions.
Write and follow your Business Continuity Plan.
Having a documented Business Continuity Plan (BCP) that prepares for the "worst" demonstrates to your clients, employees, and stakeholders that you are serious about maintaining a successful business when faced with an unforeseen challenge. Having a plan to react in a challenging business environment, like a pandemic, allows organizations to maintain client satisfaction and garner confidence in the organization's ability not just survive, but thrive .
Train your people. Repeat and repeat again.
The Verizon Data Breach Report found that 1 out of every 14 users fell for a phishing attempt. Given the sophistication of business email compromise (BEC) these days, it's no wonder untrained users are often tricked into letting “the bad guys” into your network by clicking on a hyperlink in an email. When was the last time your organization conducted formal security training with the staff? Did you repeat it, institutionalize it, and embed it in your culture? Look for training solutions that promote security awareness within your organization throughout the year. Some solutions offer automated monthly/quarterly/on-demand phishing tests which help keep your users on their toes in between security training sessions.
A security culture is important, but tools and technologies matter too.
No single technology can provide adequate security for your entire network or its data. To fight today's modern criminals, organizations need various protection measures to defend themselves from different forms of cyberattacks. To manage these cyber risks, conduct a cybersecurity risk assessment. This assessment takes a comprehensive look at your environment to determine what security controls and practices you have in place or are missing. In addition, an assessment should tell you the efficacy of each defense measure; you may have bought a security tool, but are you using it to the level your business requires. Armed with this information, your organization will know where to make defense improvements, thereby reducing its risk of a cyberattack.
Creating a culture of security takes work and time; it is a journey, not a destination. With the right mix of business processes, education, and tools, your business can develop a strong, security-centric culture.
If you're unsure how to start developing a culture of security, begin by understanding how to approach and tackle your cybersecurity risks.
Erik Thomas leads the Advisory Services group at Systems Engineering. Erik has over a decade of experience with IT, application development, and business operations. His group assists clients with the planning and implementation of IT systems, business development, cybersecurity risk assessments, and addressing regulatory compliance for businesses.