All companies continuously face cybersecurity threats from both inside and outside the organization. IT departments apply very basic defenses in order to reduce the chances and consequences of a data breach. Firewalls, operating system updates, secure connections, and spam filters are all standard, but they do not address the weakest and most fragile component of any cybersecurity strategy: people.
Morgan Stanley’s IT department is well known for implementing world-class cybersecurity protection. However, in a recent security breach, data from more than 350,000 customers was stolen by an employee. The SEC found Morgan Stanley responsible, citing a failure to employ “written policies and procedures reasonably designed to protect customer data.” Creating a work culture centered around cybersafety is essential. Most companies understand that better training and executive involvement are key elements in promoting cybersafety awareness, but what not-so-obvious actions can companies take to promote this culture? Learn more about four approaches below:
The only way to ingrain practices that support cybersecurity and lower the risk of cyberthreats is to start with embedding these principles in senior executives and management. This group is responsible for setting the company culture. Consider changing compensation and incentives to include cybersecurity compliance points. Recent studies show a direct correlation between CEO approval ratings and cybersecurity risk assessments. The higher the CEO approval rating, the lower the cybersecurity risk, which analysts believe prove the theory that the happier employees are at the company, the less likely they are to cause a security breach. A company culture that fosters loyalty and happiness among employees will lessen the risk of an “inside job” in terms of hacking or using company data for malicious purposes. A CEO who takes cybersecurity seriously will influence his or her employees to do the same.
The ISO/IEC 27001 is the best known standard for providing requirements to keep information assets secure. Companies are not required to implement these standards, but many companies are now choosing to take this extra step to become certified. Not only does it serve to outline standards for protecting the company, it also helps reassure customers and business partners that their information is safe and protected. Leverage the certification to set a company-wide standard that is documented, followed, and backed by top level management. Hold trainings to ensure employees understand and follow the policies.
The U.S. Department of Defense is constantly under the threat of cyberattacks. The cybersecurity scorecard is used by the Secretary of Defense to better understand cybersecurity compliance and exposure. The scorecard assesses cybersecurity control across multiple areas: people, process, technology, facility, and compliance. The purpose of the scorecard is to ensure organizations can effectively and regularly perform security assessments that highlight areas for improvement and gaps in cybersecurity policies. Once gaps are detected, they should be communicated throughout the company, and trainings should be scheduled to specifically target and mitigate these issues.
The technology that people wear and carry is often more powerful than they realize, so companies and employees should be aware of the associated risks. Because users rarely think about cybersecurity as it applies to their personal devices, they put the company in a vulnerable position when they default their devices to the least secure settings. Training about the risks is crucial to establish awareness. Publish company policies around what to do if a wearable device is stolen or put at risk and address them in employee onboarding. Establish programs to educate employees on how a hack on their device could put the company in danger.
It is not a matter of if a company will get hacked, but when. Embedding cybersecurity, cybersafety, and cyberthreat awareness into an organization’s culture helps delay and minimize the impact of the inevitable. Trenegy helps companies create and implement customized strategies to reduce cybersecurity risks.
