Does Your Company Have A Security-Unconscious Culture?
In this first of a three-part series of posts on how to create a security-minded culture, we start by addressing this question: Could 2017 be the year where we all started to take security very seriously?The relentless year-on-year growth of cyber crime is reaching a stage where it is threatening our economy and jobs. There are even fears for the very fabric of society. And to make matters worse, this is happening despite more being spent on making us more secure than ever before.
Market analyst Juniper Research, for example, suggests that the cost of data breaches will reach $2.1 trillion globally by 2019.
According to information security policy research organization, the Ponemon Institute, the largest cost impact from cyber crime is information loss followed by business disruption. And the sectors impacted the most are financial services and utilities and energy.
Size of organization is also a factor. Smaller companies experience a higher proportion of cyber-crime costs relating to malware, web-based attacks, and phishing. Larger organizations experience a higher proportion of costs relating to denial of services, malicious insiders, malicious code and stolen devices.The costliest of all data breaches are those related to malicious insidersDetica, a data analysis company commissioned by the UK government to investigate the impact of cyber crime on business, lists the effects of the loss of intellectual property alone as reduced revenues, lower profitability (by losing the first to market advantage), damage to reputation (both through the disclosure of the incident and from the arrival on the market of counterfeit goods), a reduction in share price (which can be particularly damaging if the hacked company happens to be an acquisition target), and of course, raised security related costs as company’s become more aware of their vulnerabilities.
All this leads to a general loss of competitive advantage, and potentially even more damaging, a kind of corporate depression expressed by a falling willingness to invest which will inevitably lead to job losses and maybe even company failures, particularly when the thefts are from smaller firms that rely on the trade sales of their intellectual property, says Deteca.
Today’s organizations have access to an unprecedented array of tools to defend themselves from cyber attacks and are spending more on them now than ever before. The days of just relying on anti-virus and firewalls are long gone.
Penetration testing, packet sniffing, incident response management, computer forensics, intelligence gathering, shadow networks, virtualization, emulation technology and more offer organizations an impressive armory with which to protect themselves.
But recent high profile data breaches - Sony Pictures hack probably aided, if not entirely carried out, by insiders; Democrat National Committee hack looks like the result of email phishing - have demonstrated that technology has its limits when it comes to protecting us from cyber crime. Security is only as good as an organization’s weakest link and, it turns out, that link is often human rather than machine.
Remembering truly secure - and therefore complex—passwords is difficult enough, let alone remembering to regularly change them. Constant changes in hardware, software and services used, plus changes in policies, do not help either. And the temptations to use insecure devices at work - from USB memory sticks to mobile phones - are great, especially when under pressure to get things done.
Clearly, it’s in everyone in an organization’s interests to prevent data breaches from occurring. The best answer therefore is team effort, creating a culture where all concerned realize the importance of security and are given the tools and skills to play their part in supporting it.
So how do you help to create a security-conscious culture in your organization and what tasks should it concentrate on in order to be successful?
In the next instalment of this three-part series on creating a security-minded culture, we look at the dos and don’ts of successful persuasion and how they may be applied to attaining the right security mindset in the workplace.