Creating a Culture of Security

July 06, 2018 | Posted in:

Business Continuity, Data Protection, Compliance, IT Strategy, Cybercrime, IT Security

Posted by Erik Thomas


It seems we can’t go more than 24 hours without hearing about the latest and greatest data breach that affects millions. So we ask ourselves, “What can we do better?” After all, if the “bad guys” can hack into the federal government, Home Depot, and Target, what hope do small and medium-sized businesses have?

The truth is, in some ways, smaller organizations have an advantage – directly due to their size.  Leadership in organizations with under 300 employees can have an immediate and lasting impact on the company culture – but it needs urgency and authenticity to resonate with your staff.  If your C-Suite is on board with creating and maintaining a culture of security, the next steps are pretty straightforward:

  • Write and enforce an Acceptable Use PolicyAll employees need to understand the ground rules for using company computers.  Are they allowed to use Facebook?  Can they access personal email while on the network?  An Acceptable Use Agreement spells out what is and isn’t permissible, and speaks to consequences – up to and including termination – for non-compliance with the policy.  The policy should be updated at least annually, and all employees must review and acknowledge the policy.

  • Document and comply with your own internal Information Security Policy.  Which steps has your organization taken to maintain and enhance your security posture?  How are you protecting your customer and employee data?  The Information Security Policy is the document that sets your internal standard for security – for example, it might say that “all employees receive security training twice per year.”  It’s then up to leadership to make sure that this policy is indeed complied with.  Simply going through the exercise of creating this policy will force your organization to pose, and answer, tough questions.  

  • Write and follow your Business Continuity Plan. Writing out a documented plan that prepares for the "worst" exemplifies to your clients, employees, and stakeholders that you're serious about maintaining a successful business despite any hiccup that might come along. Knowing how to react to what could be a devastating occurrence allows businesses to maintain client satisfaction and faith in business leadership. 
  • Train your people.  Repeat.  Repeat again. The Verizon Data Breach Report found that 1 out of every 14 users fell for a phishing attempt. Given the sophistication of business email compromise (BEC) these days, it's no wonder untrained users are often tricked into letting “the bad guys” into your network by clicking on a hyperlink in an email.  Has your organization conducted formal security training with the staff?  Did you repeat it, institutionalize it, and embed it in your culture? Look for training solutions that promote security awareness within your organization throughout the year. Some solutions offer automated monthly/quarterly/on-demand phishing tests which help keep your users on their toes in between security training sessions. 

  • Adopt a layered approach to securityNo single technology can provide adequate security for your entire network and all your data.  Speak to knowledgeable resources to understand your current tools and how they might be improved.  It starts with culture, but tools and technologies matter too.

  • Deploy cloud security tools to protect your cloud-based data. Tools like Microsoft's Enterprise Mobility + Security suite can be utilized to protect your Office documents, sensitive data, and even other cloud applications that exist outside of on-premises IT systems. The myopic days of focusing on our on-premises IT systems and data are over; it's time to deploy the next suite of security tools to keep our cloud data safe as well. 

These are simply the tactics to get the ball rolling.  Sustainable change will only come with a lasting commitment – but cultural norms tend to take hold rapidly with repeated emphasis and support from senior leadership.  Smaller and mid-sized businesses should take advantage of their naturally nimble size to drive the security message home and create a company culture of security.

Not sure how to begin with writing IT policies and procedures? Systems Engineering now offers IT Policies-as-a-Service which will provide you with peace of mind and time back in your calendar. To learn more about this service, click on the button below. 


ErikThomas_Systems72-d67ae20b-1Erik Thomas, Manager of Professional Services for Systems Engineering, has over 15 years of experience with IT, application development, and business operations. Erik consistently serves as a Virtual CIO for many clients, bringing leadership and expertise to the IT operations side of the house. Erik joined Systems Engineering in 2014.