CyberSecurity: It’s a Team Game: Creating and promoting a security culture within your business
One of the most coveted business magnates of all times, Steve Jobs once said “Great things in business are never done by one person; they’re done by a team of people.”
Several researchers, engineers, technologists, developers and many more have worked all around the world and over many years to give the world a plethora of digital technologies that are helping the mankind in infinite ways.
As we embrace digitalization at work, by deploying cloud systems and connected applications, and expand our network endpoints by adopting bring your own device (BYOD) model, adding off-site employees to network and liaising with third-party vendors, partners and their systems, the threat of cybersecurity breach is growing significantly.
A research by Cybersecurity Ventures has predicted that the world will lose over $6 trillion annually to cyberattacks by 2021.
While security, IT and DevOps teams can adopt precautionary and preventive measures and tools to protect business in the best possible way from hackers, a single anomaly or glitch in one of the digital systems or a single rogue user within the network can open the gate to hell for a company!
With so many users using different connected applications and devices for different tasks, it is every individual’s responsibility to exercise clean behavior and follow data safety protocols to evade breaches.
An organization will have certain weak links at every level. Let’s have a look at some of them-
Starting with the Leadership:
Senior executives and board members, with access to sensitive information, have always been the prime targets of hackers. Adversaries could resort to any tactic, ranging from deciphering the passwords of their targeted senior official to crafting highly convincing spearphishing emails to gain sensitive information or install malicious virus in the target’s system. The worst part is that several senior executives and board members think they are immune to such attacks, courtesy to their elevated position. They believe that the security and IT teams are responsible for safeguarding against security breaches.
Such beliefs and behavior, where top level fails to understand their vulnerability to attacks, could prove highly dangerous for the entire organization.
Security and IT teams should try to highlight the vulnerability to the top-level management and board members in terms which are more relatable and comprehensible.
It is extremely important for the senior executives to follow data privacy and protection rules, as a top-down approach to adhering to security protocols and practicing hygienic security culture could motivate others in the hierarchical structure to follow suit.
Coming to the Departments:
Most of the employees in an organization believe that it is the job of IT and Security teams to safeguard the company and its processes from breaches. While this belief is not entirely wrong, it is not absolute.
Security teams can evaluate different security technologies and solutions and select the most suitable ones that can deliver on the requirements of the company and its operations. They can even develop and update security protocols; however, it is the responsibility of the leadership team to finally approve the deployment of the security solutions; responsibility of the IT team to ensure the timely and seamless rollout of the solutions; and responsibility of every department, ranging from finance to human resources to marketing and sales to align their processes with the security protocols and adopt the security solutions from end-to-end, without leaving any gap which could be potentially exploited by the hackers.
Ending up on the employees:
Businesses are now ranking cyber risks as one of their top concerns, with companies of all shapes and sizes exposed to the threat. According to the 2019 Travelers Risk Index report, 54% of the companies believe that a cyberattack is inevitable1.
Employees could be the biggest cyber security risk for companies in this age, where the threat of cyberattacks on businesses is magnifying with every passing day.
Phishing has long been the most common and widely used form of cyberattacks, accounting for 90% to 95% of all the successful cyberattacks across world2. Users often become victim of spoofing, impersonation, seasonal and branded attacks, compromising a company’s cyber security.
Several of these users are incumbent employees, who intentionally or unintentionally connect their devices to unsecured networks or programs, open malicious emails and attachments or use unauthorized file sharing systems, providing hackers with access to the company’s IT network.
Companies also face risk from ex-employees who have exited the company or were ousted. Such employees could exploit their knowledge about the company’s business processes, IT systems and their internal connections to launch or help launch cyberattacks on the company.
The threats are magnified by the lack of proper protocols around data management and protection and lack of training and awareness around cybersecurity threats.
As per the recent data security survey by GetApp, 43% of employees do not receive regular data security training, while 8% have never got any training at all. The research also unveils that only 27% companies offer social engineering awareness training to their employees3. This highlights the lack of training and the looming threat of cyberattacks on businesses.
With employees being a major cyber security risk, companies need to implement stringent and well-defined cybersecurity rules and conduct frequent trainings and workshops to educate the employees of the cybersecurity threats and ways to tackle them.
No blame game:
A collaborated effort at every level within the business structure will help in allaying the threat of cyberattacks to a significant extent. Meanwhile, companies should also lay down rules and adopt efficient monitoring solutions for employees using their own devices under the BYOD model, offsite employees connecting to the office IT network through external servers and third-party vendors and partners accessing the company’s systems.
A well-rounded cybersecurity strategy, involving everyone from top to bottom and from outside and within, will help in doing away with the blame game and safeguard the business.