Does your organisation need a cybersecurity culture? Let us put together a few cybersecurity statistics: The average cost of a data breach in India is Rs. 11.9 crore. 22% of breaches are caused by human error. Phishing accounts for 91% of cyberattacks. Why are these statistics important? They emphasise that cyberattacks are very expensive and you will need a cybersecurity culture in your arsenal of defences because an informed and alert workforce is the best safeguard against human error and phishing.
Having a well established cybersecurity culture has become critical now that working from home has become the norm rather than the exception. Employees who operate outside the IT perimeter of their organisation need to be constantly aware of the potential for a cyberattack in all their activities and, equally, leaders need to place greater emphasis on cybersecurity when making decisions – both of which imply that the organisation needs to cultivate a culture of cybersecurity.
Why Organisational Culture Is Effective Against Cyberattacks
Cyberattacks used to be carried out purely by spreading malware; a classic example is viruses spreading through infected USB drives. Organisations invested in cybersecurity solutions that were capable of scanning for malware and received frequent updates to spot the latest malware. The effectiveness of such solutions made threat actors look for vulnerabilities that couldn’t be stopped easily by a technology layer. They realised that cybersecurity solutions can protect devices and networks but the user remains vulnerable. This led to the launch of social engineering attacks.
Imagine an employee in the finance department of your organisation receiving an email from the CEO asking for the urgent transfer of funds for a special project. The employee transfers the funds believing the message is genuine, but the message was sent by a threat actor impersonating the CEO. No malware was involved in this attack which relied entirely on social engineering, but your organisation still suffered a cyberattack.
Social engineering attacks such as phishing can take many forms but they all involve persuading an employee to perform a harmful action which could include the installation of malware. A wary employee can spot and stop such attacks immediately, and the culture in your organisation should encourage employees to be alert all the time.
Organisational culture can impact cybersecurity in other ways as well. Insisting on strong passwords will not be very helpful if employees are in the habit of sharing passwords, or if managers demand that passwords are shared in order to get the job done quickly. Cultivating a cybersecurity culture avoids such practices.
Cybersecurity Culture – What It Is, and What It Isn’t
What It Isn’t
Let’s start with what it isn’t: many organisations believe that putting up posters that urge employees not to share their passwords will create a culture of cybersecurity – but it will not, at least not by itself. Such initiatives may work as reminders once a culture has been established, but establishing such a culture requires far more active measures.
What It Is
An organisation with a culture of cybersecurity does not create an additional layer of security. Instead, it weaves it into the very fabric of the organisation. Let us now see how that can be accomplished.
Creating a Culture of Cybersecurity
- Hiring – IT is the most obvious department that will benefit by looking for cybersecurity skills when hiring, but IT teams are usually subject to decisions made by senior management. Therefore, leaders in any department or function should be hired only after examining their cybersecurity track record; specifically look for those who have implemented or improved cybersecurity measures in their previous roles. They need not be experts, but should be known for seeking out and listening to cybersecurity experts. This is the most important step in creating a cybersecurity culture, because leaders set the tone for all their subordinates, and should be followed in both internal and external recruitment. Emphasising cybersecurity when hiring also sends a clear signal throughout the organisation that combating cyberthreats is a priority
- Training – A cybersecurity training programme should be formulated to ensure that all employees, irrespective of their position in the hierarchy, are made aware of how cyberthreats work, how threat actors may target them, the organisation’s defences against cyberthreats, cybersecurity best practices that should always be followed, the individual’s responsibility with regard to cybersecurity, and the escalation matrix in the event they notice a cyberthreat or vulnerability
- Training should cover relevant laws, such as data privacy regulations, and the consequences if such laws are violated; organisations with international operations should include legislation in their overseas market as part of the training
- Responsible use of social media is another area that organisations should emphasise in training, as employees are often not aware that their use of social sites and apps can risk their personal safety and their employer’s cybersecurity
- Training should be customised to suit the responsibilities and access privileges of employees at different hierarchy levels e.g., leaders should be made aware of cyberthreats that specifically target the C-suite
- Training should not be a one-time event. Refresher courses should be provided at periodic intervals
- Procurement – Cybersecurity should be made part of the selection criteria when issuing RFPs/tenders for hardware and software. The vendor’s track record in providing security patches should be ascertained and the duration of support (lifetime support is preferred) for the product should be verified before a purchase order is issued
- Scrappage – Hardware and software that have reached end-of-support should not be used. The support status of all IT assets should be tracked and obsolete products should be retired. Hardware that is sold to scrap merchants should be thoroughly sanitised before being discarded to remove any confidential information that might have been stored in them
- Design – Cybersecurity by design should be a guiding principle when designing administrative and operational processes. The processes should be designed to
- Reduce the attack surface
- Avoid identified risks
- Have cybersecurity as a default rather than an additional layer
- Give priority to cybersecurity issues
- Partnerships – All organisations partner with other organisations for the provision of various services, and cyberattacks may originate in the partner organisation. Cybersecuring the supply chain is, therefore, an essential part of organisational cybersecurity; choose to partner with vendors who prioritise cybersecurity as much as you do
Businesses often create a cybersecurity policy and include many of these measures in the policy. While having a cybersecurity policy is important, it does not by itself result in a culture of cybersecurity as the policy may exist only on paper. Culture is what is practised, not what is preached, so ensure that you judge your organisation’s cybersecurity culture by the extent to which employees automatically follow the above measures.
We have discussed cyberattacks, such as phishing, that can be launched without a malware component but they often include malware as a payload at later stages of the attack when the attacker tries to infiltrate your organisation. K7 Security’s enterprise endpoint and network security solutions provide comprehensive defences against the latest malware and malicious websites. Contact us for more information on how we can help you secure your operations.