3 Tips on How to Create a Cyber Security Culture at Work

DAVID BISSON

OCT 6, 2015 | SECURITY AWARENESS

3 Tips on How to Create a Cyber Security Culture at Work

6420727636

This October marks another iteration of National Cyber Security Awareness Month (NCSAM), a
program designed to engage both the public and private sectors on good security practices via
activities that encourage awareness and resiliency in the event of a national cyber incident.

Sponsored by the Department of Homeland Security (DHS) in cooperation with the National Cyber
Security Alliance and the Multi-State Information Sharing and Analysis Center, NCSAM emphasizes
our shared responsibility in strengthening the cyber security posture of our workplaces, homes and
digital lives.

NCSAM 2015 officially kicked off last week with the fifth anniversary of STOP. THINK. CONNECT. – a
campaign that seeks to provide users with a unified, guiding principle that they can follow to stay
safe online. This week, NCSCAM focuses on the theme of creating a culture of cyber security at work.

As we all know, computer criminals pose a serious threat to businesses today in that they can steal
corporate intellectual property, as was the case with last year’s Sony hack; compromise employees’
personal and medical health information, the latter of which is increasingly valuable on underground
web markets; and overall depreciate an organization’s reputation.

These external actors may also exploit bad security decisions on the part of internal employees, the
effects of which may be amplified by poor or incomplete bring your own device (BYOD) guidelines or
policies designed to protect Internet of Things (IoT) devices.

In accordance with NCSAM, it is everyone’s responsibility to help protect his/her organization

against a breach or targeted attack. Here are a few tips on how you can help create a culture of
cyber security at work:

TIP #1: FOCUS ON SECURITY BASICS

People are most willing to embrace security if the concepts and technology are quick, hassle-free,
and easy-to-understand. That reasoning helps to explain why a focus on security basics can go a long
way.
“By embracing the basics of security hygiene – two-factor authentication (2FA), password managers,
and keeping devices and laptops updated – we’re teaching users that the security equivalent of
simply washing your hands is simple, effective, and easy to do,” explains Mike Hanley, Program
Manager, R&D at Duo Security. “These basics are proven to defeat the most common attacks and
prevent data breaches effectively…. While these methods don’t always get the limelight that threat-
focused measures receive, they are cost-effective and simple, and they help to reduce the strain on
security and IT resources.”

Cheryl Biswas, InfoSec I.T. Coordinator and Senior Writer at JIG Technologies, agrees that security, if
recognized as an approachable process and ongoing commitment, can help safeguard against the
dangers of what she calls Shadow IT and Shadow Data.

“Things get plugged in that shouldn’t, whereas data gets handled and exposed that shouldn’t,”
Biswas clarifies. “To counter these occurrences, I would recommend that security personnel lay the
following keystones in place and build around them:

Passwords: These really are the keys to your kingdom. Have a good password policy in place, teach
staff how and why to use it, and do routine checks to make sure that all your employees are on the
same page.

Patches: It is crucial that businesses of every size have a patch update program in place to ensure
that all software and systems are updated regularly that emergency fixes can be implemented as
need.

Get a baseline in place: While you cannot expect to catch everything, if you know what your norm is,
then you have an advantage when something deviates, and you can respond decisively. That’s
security in action.

Limit and enforce access: Not everyone needs access to everything, all the time. The fact is, the
more exposure your data has, the more at risk it is. You can, and you must, put rules in place that
allow most users access to only what they need. It’s good to request permission because that
enforces a necessary system of checks and balances that underpin good security.

Inventory and monitor: Know what you have, tag it, track it, and update what gets added or
removed to the system. This will help ensure you know what your baseline is for monitoring
purposes. Additionally, it will help you reign in control of your organization’s BYOD culture, should
one exist.”

Paul Ghering, Infrastructure Analyst at Belden, states that security personnel cannot overemphasize
the importance of a strong BYOD culture:

“By implementing BYOD policies that simply do not trust what is outside the datacenter, we can
reduce the attack surface for the corporate data and services considerably. Also, management and
overview would greatly improve, and employees could use whatever device they have access to or
need to do their work.
TIP #2: INVEST IN EMPLOYEE AWARENESS TRAINING

When it comes to strengthening an organization’s security posture, infosec personnel by themselves

can only do so much, for they are not the only ones interacting with corporate networks.

“Employees make decisions every day that negatively affects their business’s security,” explains
Wolfgang Goerlich, Cyber Security Strategist at CBI. “As a result, we have known for a while that, to
protect organizations, employees need online street smarts. However, the problem is that some in
the industry treat employee awareness as a training concern or one-time activity. It is not. It is an
ongoing cultural problem.”

With this in mind, it is important to break up employees’ training into separate units that each
address individual security topics. For example, as suggested by Adrian Sanabria, Senior Security
Analyst at 451 Research, organizations should spend some time educating users on how to spot
suspicious links and how they can use tools such as URLQuery.net to analyze potential threats.

“Safe URL tips can be easily shared through a monthly internal newsletter,” Sanabria observes. “We
can complement these suggestions by publishing a list of free resources like URLQuery onto an
internal intranet site for free use by employees. Sharing the links in this case doesn’t go far enough;
it’s best to include instructions on using them properly.”

national cyber security awareness monthMatt Pascucci similarly recognizes the value of engaging
users directly into a security awareness training program.

“We need to create competitions, newsletters and other ways for users to participate in the
awareness training,” Pascucci recommends. “Just like anything else, if it’s not going to grab their
attention it won’t stick in their minds. Find creative ways to get this information out. Either via funny
newsletters or competitions, but the more you can capture the users attention the better chance
you have of the information sinking in.”

Pascucci goes on to explain that training exercises should be complemented with periodic tests
designed to evaluate user awareness and to direct training to different areas of focus.

TIP #3: ENCOURAGE THE SENIOR LEADERSHIP TO EMBODY ORGANIZATIONAL SECURITY

Training employees in good security practices goes only so far, however, a fact with which Tony
Martin-Vegue, blogger and host of The Standard Deviant Security Podcast readily appreciates:

“Companies can put in substantial effort and expend valuable resources in strengthening their
security posture, but the truth is they will fail if there is not a strong and consistent tone delivered
from the top,” Martin-Vegue explains. “It’s very important for an organization’s senior leadership to
be fully supportive and an enthusiastic advocate of security goals and objectives.”

Executive leadership is integral for companies that opt to implement a “clean desk” policy, under
which screens must be locked when unattended and laptops must be secured via cable locks. They
essentially set the example in choosing to follow these secure behaviors; if they resist, employees do
not have any clear incentive to comply, either.

Business leaders who emphasize risk analysis can also contribute to a positive security culture at
work:

“Management that demands a rigorous and defensible risk analysis are able to make informed and
sound decisions about security investments,” states Martin-Vegue. “In the long run, this increases
the security posture of the firm and has the nice byproduct of giving the security team a reputation
of being credible. Gone are the days where saying ‘This is High Risk!’ is good enough to get budget
approved. Demand quantitative analysis that demonstrates a solid return on security investment.”

CONCLUSION

An organizational cyber security culture depends not solely on the work of one group but instead on
the contributions of all personnel. By delegating security personnel to focus on security basics,
employees to engage in interactive security awareness training, and executives to provide a
consistent pro-security tone, you can create a holistic cyber security culture in which everyone has a
stake.

Title image courtesy of ShutterStock