The issue of cyber security has undergone a colossal change in recent years. What was once considered solely the job of the IT operations department is now gaining primacy in the board room discussions. The senior management is now actively involved in the decision making that not only reviews the state of cyber posture of their organizations but also works towards its further enhancement, making it robust through latest technologies and consolidate it through high budgetary allocation.
The reason behind such a tectonic shift in the paradigm of cyber security is the breaches and intrusions that have occurred in last few years and caused huge losses to big firms Anthem, Target, and the Yahoo.
While such a change is highly appreciable, it is just a stepping stone to what is actually required.
Given the present state of cyberspace, no longer can organizations afford their departments to work in silos when it comes to cyber security. What is required is cultural shift from the bottom to the top of the organizational pyramid covering every nook and corner of all echelons and stratums wherein every individual employee of the organization maintains an optimum cyber hygiene.
It is the job of every employee from the CEO to the newly hired apprentice to inculcate an optimum security hygiene and develop a level of vigilance and awareness.
It is the cumulative impact of individual cyber hygiene that can effectively deter and prevent the belligerent and bellicose cyber criminals from raiding the organizational networks and stealing the data.
It is the shared level of vigilance and cyber awareness on which the organization’s cybersecurity posture is dependent.
Inculcating Security in work culture is more of an Art than Science.
By simply disbursing guidelines to the employees won’t bring the desired cultural shift. The senior management must focus more on changing the mindset of the entire organization. So how do they change the mindset?
Following are few strategies that would make an impact:
- Situational Awareness : One can’t solve a problem until one knows what the problem is.
- To understand the evolving cybersecurity threat landscape, employees first need to be aware of the cyber ecosystem of their work place. This involves knowing about different malware and vulnerabilities, attack methods, threat actors, best practices, alerts, and security updates.
- To build a “Security First” mindset, Security teams should share meaningful real-time information about the current cyber incidents impacting company’s assets, employees and customers and make them stakeholder in the cultural transformation.
- Explaining the costs: A very good strategy is to explain the costs that will be borne by the organization because of a data breach. Employees need to understand how one wrong click of theirs can impose significant costs on the organization. This canpotentially bring a sense of responsibility in the employees. Moreover, Cyber hygiene should be used as a one of the parameter for judging overall performance of the employees.
- What gets measured gets managed: This is an old-adage and quite true as well. Perform surprise checks on the employees and assess the maturity of the program by measuring the results. Empower your ethical hacking team to conduct phishing attacks on the employees. That would give you a measure how much employees care about cybersecurity and pay attention to details before clicking on a URL.
- Grooming the young: An old saying ‘Catch’em Young’ says you should groom the young to bring a cultural shift. The young adapt easily and do not pose much resistance. Sow changes today and you will reap benefits tomorrow.
- The Broken Window Approach: First introduced in 1982 by James Q. Wilson and George L. Kelling, this theory focuses on paying attention to petty small crimes and ensuring accountability for them. As per this theory creating an atmosphere of law and order helps prevent bigger crimes from happening.
- Lead by Example: Last but not the least, organization’s leaders must walk their talk. They should understand the threat, get regular briefings from the security experts in the company and emphasize on the importance of cyber hygiene during their meetings and town halls.
Inculcate security today for it is an intangible thing with tangible benefits. Given the number of threats and threat actors in today’s cyberspace, security culture derived from an optimum cyber hygiene that runs from the Break Room to the Board Room assumes utmost significance.