People, along with tools and processes, are key to effective cybersecurity. But without the appropriate training and education they can pose the biggest threat.
The digital threatscape is proliferating exponentially – phishing emails increased almost 800 percent quarter-to-quarter in Q1 2016, to 6.3 million, and ransomware soared 300 percent year-over-year on its way to a billion-dollar-a-year problem. So it's vital to remember that effective cybersecurity rests on three pillars: products and services, processes, and people. Simply throwing more money and resources at cybersecurity is not the answer. People are the key, and everybody has a role to play in effective cybersecurity.
A holistic approach that protects people, things, processes, and all the data they create from intentional and unintentional harm is required, and all of this can be combined and enhanced by creating a culture of cybersecurity at work. It can mean the difference between business survival or failure, especially in the digital era: Cybersecurity is the foundation of digital business and innovation.
The general public has become acutely aware of cyber threats during this election cycle, so let's use this as motivation to secure our own devices, networks, and data. Testifying before Congress in October, FBI Director James Comey said, " ... the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.”
However, as scary as the external threatscape is, the internal challenges are equally problematic. Not only are ‘normal, everyday users,' i.e. your staff, partners, and customers, ‘the weakest links in the digital security chain,’ but 95 percent of all security breaches were caused by human error.
So creating a culture of cybersecurity at work is imperative, and while neither simple nor easy, it is a readily achieveable objective with the appropriate processes and practices. Effective cybersecurity requires the involvement of everybody, all the time, to:
Identify and protect your organization’s digital ‘crown jewels’
Be able to detect incidents and have a plan for responding
Because cybersecurity is not a one-time, one-size-fits-all, all-in-one solution, the workplace requires a flexible and dynamic approach that changes as the threatscape, tools and techniques change. Your cybersecurity culture should include:
Comprehensive cybersecurity architecture that is part of business processes, not an add-on
Ongoing education, training, and reviews that involve everybody
Focus on individual responsibility and awareness that everyone has a vital and ongoing role in cybersecurity
Find the motivation: Knowing about security is vital. Nowadays, people are commonly exposed to password challenges, phishing, data theft among various others threats. By addressing security concerns and risks, employees can better protect themselves against such risks at work and at home.
Create competition: By creating a healthy competition within the organization, employees will be more engaged and take security measures seriously. Not only will the employees be motivated to adapt security measures, they will promote it to others and compete to have the best security to safeguard their online presence.
Form security awareness allies: Ensuring security measures are taken seriously is not the sole responsibility of the security team. Other departments must be involved so that everyone is practicing the same measures and leaving no space for a breach.
Empowering employees to take initiatives: By empowering employees within the organization and recognizing their initiatives, motivation levels will increase, which will likely lead to efficiency. Many employees prefer empowerment over monetary benefits.
Keep it simple and aligned to the business: The objectives of your business must be clearly defined and processes must be aligned to achieve business objectives. Every employee must be made aware about their priorities and security is no different as the value of security must be instilled in processes to protect the overall organization.