With the marked increase in cyber attacks and ever tighter legislation around data privacy it’s imperative that organisations prioritise security activities and interventions. Typically, organisations tend to focus on awareness of security but fail to change behaviour. Unless the behaviour of every individual in the group is modified, the interventions will not reduce the risk of a security incident.
It is important to have the right policies and procedures in place, but awareness of protocols is not enough. In order to really combat the risks of a security breach in your organisation, you have to go beyond awareness to really impacting conscious behaviour. This year – 2017 – needs to be the year of working towards a security culture.
A security culture is an organisational culture where not only are all the right security protocols in place, but the correct behaviour and response to security becomes subconscious, instinctive and effortless.
You have to start with building awareness of why security is important and how to reduce risk. Then you move onto changing behaviour in mitigation of risk and in the event of an incident. There are elements of everyone’s behaviour – be it professional or social, public or private – that must change. This is all about individuals doing things right the first time. Ultimately, you want to achieve a strong culture of security that becomes a fundamental part of your organisational behaviour.
Some of the scenarios that occur in the absence of a security culture include sharing passwords or writing them down, leaving your computer unlocked while you are away from your desk, letting guests wander around the office unaccompanied, leaving confidential documents in a public place, using weak passwords to access company systems, storing confidential information on a personal device, connecting to unsecured wifi . . . unfortunately, the list is long and the potential for exploitation is high.
No matter how well documented your procedures or how clear/available your security policies, if you have a weak security culture, your organisation are vulnerable.
Joint responsibility
In today’s world, no organisation is going to be able to operate without being both physically and digitally secure. Organisations have both legislative and contractual obligations around the security of products, data and employees. If these obligations are not met, the organisation will suffer reputational and financial losses. If an employer loses the trust of its client or market, the impact will also be felt by the employees. To that extent, security isn’t just the responsibility of the organisation but of all of its stakeholders as well.
There are also benefits to the employee on a personal level when working within a security culture, for example, a sense of physical safety while working, and a sense of digital safety. If you work for an organisation that takes security seriously, you know your personal information is safe and you are more aware of how important it is to keep your personal information safe online.
A strong security culture promotes stability, trust, increased revenue potential and making the organisation better able to award staff.
Led by legislation and regulation
It’s not just about passwords and being safe online, data privacy legislation and regulation defines an organisation’s overall posture towards data and client information – how it is gathered, stored and used. Employees need to understand what the relevant data privacy legislation and regulation means for them, and how they need to act to ensure the company remains compliant.
The UK’s Data Protection Act (DPA) specifies what information a company may gather about an identifiable living person, what it may be used for, and how long it may be kept for. Employees need to understand how this impacts their day to day activities, and how it affects the company so that it isn’t just one more box they need to tick, but becomes an integral part of how they do their jobs.
The EU GDPR (General Data Protection Regulation) comes into force in May 2018 and organisations should start understanding the extra requirements this presents to controlling and processing customer data.
In the security world it’s a constant journey, never a destination…
Chantelle van Wyk is the global IT and security manager for Striata.
She previously held key security positions at organisations such as KPMG, Rackspace and Symantec. Chantelle has her Masters in Information Security and a BSC in Information Technology. She is a Certified Ethical Hacker, a Certified Intrusion Analyst and holds a certification in forensic reverse malware engineering. She is a Cisco certified network professional and a CompTIA certified security administrator.