Building a Culture of Security

A cybersecurity culture is more than physical barriers of entry into a building, multifactor authentication system access or least privilege authorization. It is a collective mindset of the people in the organization working every day to protect the enterprise. A robust security culture can reduce risk and save enterprises millions of dollars by offsetting the impact of corrupted or lost data, decreased revenue, regulatory fines, and protect the enterprise’s reputation.

Before the personal computer (PC) and the Internet, cybersecurity was relatively easy. Most machines were green screen terminals that connected directly to a mainframe in the basement. Security was the easy task of not letting strangers access the building. Even with a stolen credential, hacking the system required physical presence. However, with the introduction of the PC and later the Internet, intrusion happens halfway around the globe.

Security now means more than physical enforcement. Protecting enterprise assets requires a culture of security throughout an enterprise.

Why Is Cybersecurity Culture So Important?

A strong cybersecurity culture helps protect the enterprise’s most important asset: its data. Physical assets such as equipment, buildings and even people can be replaced; however, data are difficult to replace. Most organizations spend years and countless resources to acquire and create their enterprise’s data assets. Many enterprises that lose data may become insolvent. Thus, organizations need to value protecting their data and cybersecurity at all levels. Reports about enterprises targeted because of inadequate security riddle the media. Simple security standards that all employees follow can address most security issues. Human error or behavior causes 90 percent of all cyberattacks.¹ Employees losing their laptops or cell phones, inserting flash drives into their computers, or opening mysterious emails compromise more enterprises than malicious criminal hacks from external adversaries.

Organizations spend millions of dollars on hardware and software such as firewalls, virus protection and physical barriers. However, enterprises economize on employee training and fail to value security culture enough to invest resources in building and enforcing standards that provide protection from human behavior.

What Is a Security Culture?

A security culture constitutes more than just cyberawareness. It must:

• Incorporate a broader corporate culture of day-to-day actions encouraging employees to make thoughtful decisions that align with security policies.
• Require the workforce to know the security risk and the processes for avoiding that risk.
• Build and enforce an operating process of tasks that keeps the enterprise safe.

A security culture includes a healthy combination of knowledge and follow-through of daily work tasks.

Cybersecurity best practices start with building a security culture. Intuitively, most cybersecurity professionals agree that spending resources on workforce training about the importance of cybersecurity is best for an enterprise’s security efforts. Teaching employees to recognize threats, curb poor behavior and follow basic security habits is the best return on investment (ROI). However, measuring and justifying the expense proves challenging. Persuading upper management with an ROI number based on employee training and changing the organization’s culture requires aggressive, high-pressure sales.

The probability of employees starting a fire in the enterprise either by accident or design is lower than them opening an avenue for a cyberattack. Employee education, behavior and culture focused on cybersecurity best practices and standards are as important as the annual fire drill. It is the cybersecurity professional’s responsibility to persist in building a security culture to change how employees view cyberprotection. Whether it is senior management, human resources or the employee in the cube next door, everyone needs to continuously sell cyberstandards and best practices. When a cyberattack impacts the enterprise’s systems, everyone will look at the cyberprofessional to answer the question, “How could this happen?”

How to Change to a Security-Conscious Culture

Most IT teams value security business practices and standards. The biggest challenge with developing a security-conscious culture occurs with enterprise middle to senior management supporting solid security practices and building the culture to support it. These levels can look upon building a security culture as another expense to the business with little quantitative ROI to the organization.

EVEN BY CITING NUMEROUS HIGH-PROFILE AND COSTLY BREACHES, PERSUADING MANAGEMENT TO INVEST IN A BEHAVIORAL CHANGE WITHIN THE ORGANIZATION STILL PROVES CHALLENGING.

To mitigate enterprise indifference, cybersecurity professionals may follow a few steps to build a solid foundation for a security culture. First, publish statistics on the number of times hackers probed enterprise systems. Most employees, especially senior management, will be astonished by the sheer volume. Second, track and publish statistics on the number of phishing and junk emails that come into the enterprise’s mail servers. It should be noted that email is one of the top avenues for hackers to gain access to enterprise systems.² Although most employees believe they know how to recognize a phishing email and avoid responding to the email’s request, 30 percent of all phishing email is opened, and 12 percent overall have links that are clicked.³

Obtaining Senior Leadership
Once the hacking data are shared, the next step involves obtaining buy-in from senior leadership. Numbers, ROI, revenue and shareholder value motivate senior leadership. Cybersecurity risk proves challenging to assign an ROI number. However, hard data of potential attacks help management realize that a breach has a higher potential of happening than a fire in the office. Sharing a breach’s cost to a similar organization’s profit margins assists management in viewing the investment in a security-conscious culture as a pseudo insurance policy. However, even by citing numerous high-profile and costly breaches, persuading management to invest in a behavioral change within the organization still proves challenging.

The chief information officer (CIO), chief technology officer (CTO) or chief information security officer (CISO) must assume the role of cybersecurity champions on the leadership team. These IT leaders need to garner the leadership team’s confidence to help explain the threat, risk and impact of failing to develop a secure mindset. These security champions are key in building and maintaining a cybersecurity culture.

Cybersecurity Culture as an Insurance Policy?
Cybersecurity professionals sell the cybersecurity culture investment to management as an insurance policy like any other business insurance. Most enterprises carry insurance to protect against liability, fire and theft on their capital equipment and employees. To justify this expense, senior management asks the question, “Can a business continue if the building or inventory is lost due to fire, flood or theft?” The answer is usually no, so management makes the business decision to purchase insurance to protect against the potential of a disaster.

Most enterprise managers value fire, flood or theft insurance. However, according to the US National Fire Protection Association, there are an average of 3,340 office fires in the US each year.⁴ DarkReading reported 6,500 enterprise data breaches in 2018.⁵ That is only the ones that were reported or even the ones the enterprise knew about. How many times has an enterprise stated it recently discovered a breach that occurred a few years ago? Or worse, they never realize they were breached at all. Statistically speaking, enterprises are more likely to experience a monetary loss from a cyberincident than a fire or flood, yet management is more likely to invest in fire and flood insurance than building a quality cybersecurity culture.

Framing a cybersecurity culture as an insurance policy is more likely to motivate senior management to support the initial expense of building a security culture. Cybersecurity professionals know that the biggest ROI is training enterprise team members on safe cyberbehavior.

Workforce Buy-In and Training
After garnering management support, security professionals must persuade the workforce to change its behavior. To do this, one must survey the enterprise’s associates for suggestions. Nothing helps to build cultural change more than involving employees in the process and solution. If the workforce understands the threat and helps with the solution, then the culture has a good foothold to grow into a standard operating procedure.

Once security professionals have employees invested, they must create training programs. Although a robust cybersecurity training program requires labor-intensive work, it proves invaluable in engendering the culture. Thirty-seven percent of organizations’ staff cite insufficient cybersecurity training in the workplace.⁶ Training warrants more than one workshop or online course. An efficacious training program needs to repeat key concepts more than once a year. For example, some enterprises publish monthly IT newsletters to facilitate communication with other divisions. These newsletters cover various security topics, and each month, IT team members discuss these topics with their colleagues outside of IT. Some even require employees to add the monthly topic to their internal email tagline to reinforce it. This may help persuade colleagues to recognize cybersecurity as a serious matter.

FRAMING A CYBERSECURITY CULTURE AS AN INSURANCE POLICY IS MORE LIKELY TO MOTIVATE SENIOR MANAGEMENT TO SUPPORT THE INITIAL EXPENSE OF BUILDING A SECURITY CULTURE.

Build Security Policies
Well-documented policies form the cornerstone of a security culture. Cybersecurity policies must cover the daily operating procedures of using enterprise assets and accessing data resources. The IT security team develops the official security policies, and stakeholders approve them. These policies outline the rules and procedures that everyone with access to enterprise assets must follow. Some human resources (HR) departments create additional employee security behavior documents that cover expectations and outline the consequences of noncompliance. During new employee onboarding, both the hiring manager and HR must ensure that the recruit has completed the security training requirement.

Report an Incident
The last step in building a cybersecurity culture is to encourage employees to report incidents. Some enterprises even build systems to recognize associates who detect problems, loopholes or inconsistencies in human and equipment cyberbehavior. Cybersecurity professionals must provide easy avenues such as a group cybersecurity mailbox, website form or phone number for incident reports. When employees understand the risk and have an easy avenue to report issues, they will likely use it, especially if they gain some recognition for identifying an issue.

Addressing the Naysayers

Identifying the number of potential intrusions, garnering management support, building workforce buy-in, creating clear policies and building an easy avenue to report incidents all set the foundation for a cybersecurity culture. Any effective cultural change requires labor-intensive work from everyone. Thus, with change comes resistance. Despite a cybersecurity culture’s positive impact, there will be naysayers who resist any change. Peer pressure impacts the behavior of those few employees who resist the change. In most cases, the lollygaggers will conform after their fellow employees press them. Finally, a cybersecurity culture requires HR to create policies that support the security culture and procedures to correct or even terminate noncompliant employees. Building a cybersecurity culture empowers team members to be proactive and vigilant in their daily tasks. Every employee’s unwritten job description includes cybersecurity.

Behavioral Change Takes Time

Hackers often use phishing emails to enter enterprise systems. To test a security training’s efficacy, cybersecurity professionals may send a test phishing email to employees who completed the training. What do the results indicate about security culture? It takes time for policies to become an embedded culture.

WHEN EMPLOYEES UNDERSTAND THE RISK AND HAVE AN EASY AVENUE TO REPORT ISSUES, THEY WILL LIKELY USE IT, ESPECIALLY IF THEY GAIN SOME RECOGNITION FOR IDENTIFYING AN ISSUE.

For example, a colleague recently shared a story of one experience building a security culture. The goal of the initiative was to teach team members to lock their systems when away from their desks. First, approximately 3,000 employees completed security training. To reinforce this training, the IT team printed 1,000 yellow business cards stating: “You are away from your desk but your computer is not locked.” The IT team would walk the halls and place cards on team members’ computers who were away from their desks but had not locked their computers. In three months, the IT team finished disseminating all 1,000 cards. The reminder cards’ second printing was on an orange background, and they were disseminated in approximately nine months. The third printing was on red cards, and 18 months into the third printing cycle, the IT team still had approximately 600 cards. A few older cards were still circulating. This means that colleagues had taken cybersecurity to heart and were using older cards to remind their coworkers about the importance of computer security. This successful security culture campaign required a minimal investment, but had a major impact on building a cybersecurity culture.

Excessive Cybersecurity

Based on firsthand experience, one large top-five financial services enterprise took a draconian approach to cybersecurity. For example, it replaced all laptops with virtualized desktops, initially turned off all Universal Serial Bus (USB) ports, locked out the Internet and did not allow emailing out of the enterprise. These excessive cybersecurity approaches made work challenging and simultaneously introduced new risk to the environment. First, the enterprise required traveling employees to use their personal laptops or the hotel’s business center computer. Neither option presented a good choice. Employees may not upgrade and patch their personal machines often enough, and who knows who last used the business center machine.

The enterprise wanted to limit the possibility of an intrusion from a USB device. However, this policy made modern office tasks challenging. It is difficult to use Personal System/2 (PS/2) keyboards or mice and forget about any wireless input devices when all the USB ports are disabled. The Internet was so locked up that conducting any research was difficult.

THE GOAL IS TO WORK WITH BUSINESS AND BUILD A CULTURE THAT PROVIDES THE ABILITY TO COMPLE TE WORK AND SECURE THE ENTERPRISE’S ASSETS.

However, prohibiting sending external email and stripping incoming email attachments were the most excessive policies that made it difficult to communicate with vendors. In fact, traveling employees had to use their personal email accounts on their phones to communicate with vendors and use their personal printers to print attachments such as requests for proposals (RFPs) and statements of work (SOWs). Management waited three weeks to revoke some of the most stringent controls and almost six months to finally achieve a balance between security and business. This exemplifies what not to do. This security culture became excessive, angering many employees and introducing new threats. Enterprises must avoid stringent policies that make it too difficult for employees to do their jobs. The goal is to work with business and build a culture that provides the ability to complete work and secure the enterprise’s assets.

Conclusion

Building a security culture needs to have a balance between business activity and business security. Encouraging employees to participate in building a cybersecurity culture will go a long way in embedding the culture in the everyday tasks of the employee. Employees will learn to understand their role in keeping the organization safe and accept responsibility to help remove threats. The human factor is the weakest link in security practices, but with a cybersecurity culture, organizations can turn the weakest link into the strongest asset.

Endnotes

¹ Spadafora, A.; “90 Percent of Data Breaches Are Caused by Human Error,” Techradar, 8 May 2019, https://www.techradar.com/news/90-percent-of-data-breaches-are-caused-by-human-error
² Data Insider, “91% of Cyber Attacks Start With a Phishing Email,” Digital Guardian, 26 July 2017, https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing
³ Verizon, 2019 Data Breach Investigations Report, USA, 2019, https://enterprise.verizon.com/resources/reports/dbir/
⁴ Campbell, R.; “U.S. Structure Fires in Office Properties,” National Fire Protection Association, August 2013, https://www.nfpa.org/News-and-Research/Data-research-and-tools/Building-and-Life-Safety/US-Structure-in-Office-Properties
⁵ Vijayan, J.; “2018 Was Second-Most Active Year for Data Breaches,” Dark Reading, 13 February 2019, https://www.darkreading.com/threat-intelligence/2018-was-second-most-active-year-for-data-breaches/d/d-id/1333875
⁶ Netwrix, 2018 IT Risks Report, USA, 2018, https://www.netwrix.com/2018itrisksreport.html

Paul Frenken, ACP, FAIR, PMP, PMS1

Is an independent consultant focusing on bringing value by implementing emerging technology and best business practices for his clients. He brings more than 20 years of experience in IT infrastructure, development, change management, customer and consulting services. With a varied background from startup dot-coms to Fortune 50 organizations, Frenken applies business best practices and cutting-edge technology to improve profit margins.