Network Security, Security Strategy, Plan, Budget

Cultivating a cybersecurity-first corporate culture

After Sept. 11, New York City's Metropolitan Transportation Authority came up with a tagline intended to make citizens aware that each person is on the front line when it comes to defending the metropolis against another terror attack.

“There are 16 million eyes in the city. We're counting on all of them.”

The line is supposed to cultivate an environment that brings awareness to the fore and at the same time makes every individual realize they have a part to play in keeping their city, and themselves, safe.

The same needs to be done when it comes to protecting a company, or even a household, from a cyberattack.

Changing a company's culture, much like that of a city, may not be easy or quick, but it is also far from impossible. The first step is getting buy-in from the staff by making sure everyone knows that each and every one of them truly has an important role to play.

While there are some types of intrusions that the average staffer cannot help detect or thwart, the truth is the most likely way a cybercriminal is going to breach a corporation's defensive perimeter is through a phishing attack – one that will most likely target an unwary soul who is simply trying to handle a multitude of tasks promptly to keep their supervisor happy with their performance.

However, a worker who is simply churning out the sausage without keeping an eye on what is being put into the meat may, most likely will, eventually click on the wrong email attachment and a disaster may ensue.

Shalabh Mohan, Area 1's vice president for products and marketing, says 95 percent of all breaches begin with a phishing attack, which is also the type of attack most easily prevented by an employee. However, in order to be helpful, the Joe and Jane cube-dwellers have to be made aware of the problem. Something that can be done not only through dedicated training, but also with a lighter touch.

Mohan's company recently came out for the second year with a whimsical tool called March Hackness that is based on the NCAA March Madness tournament bracket. Area 1's version uses bracketology to show the pervasiveness of these kinds of attacks and to make it more relatable to the average office worker.

The March Hackness bracket shows the 64 brands used most often as bait in a phishing scams in 2016 and then counts them down to which was used most often. This year it was PayPal beating out Apple. If nothing else, the bracket shows that an email – even from the most reputable company or government agency – could be nothing more than a front for a phishing attack.

The need to quickly improve corporate cybersecurity capabilities at all levels has never been more apparent. A Wombat Security Technologies survey found that 76 percent of information security professionals reported their organization had been victimized by a phishing attack in 2016 and just over half of these people said the rate of attack is increasing.

The need for training and developing a corporate culture that prioritizes cybersecurity becomes clear through the answers to two of Wombat's survey questions, in particular. Only 65 percent of respondents could properly define phishing. And when it came to understanding ransomware, 52 percent would not even hazard a guess as to what the word meant.

Amy Baker, Wombat's vice president of marketing, says one way to entice a workforce to be receptive to instruction is to keep the lessons short and use a carrot. Plus, a little comedy never hurts.

“We have short videos with a little element of humor included to make the workers feel that they at least enjoyed the one moment of their life that we've taken,” Baker says.

Keeping the lessons short, under 20 minutes, and including some type of prize for those who score well on in-office security assessments is also a good way to keep people interested.

While adding some fun into the process is a plus, the one game enterprises must not play is the blame game.

"There is a culture of blame that's grown up around hacks,” Mohan says. "These are sophisticated attacks, produced by professionals who are very good at hacking. We shouldn't be blaming an individual because of a phishing link that they clicked."

Stu Sjouwerman, CEO and founder of the security training firm KnowBe4, says not picking on individuals is important when trying to build a team effort around cybersecurity, but at the same time, the workers need to know if they are headed in the right direction.

“We recommend doing a phishing security test and sharing the percentage of clickers with the whole company and not the individual people,” he says. "Use that as the catalyst to kick off a security awareness training campaign."

One issue that might not come to mind for most people is that despite having been around for many years, the internet is still in its infancy in some ways and was not originally built with any thought of security. This means those on the frontline need to be made aware, which is something they should want in order to also help protect their own online presence.

“They have not realized that the net really still is in beta and that it was not built with security in mind," says Sjouwerman. "Once they understand the risks, the first thing out of their mouth is: ‘How do I share this with my family?'”

But no employee is going to show the least amount of interest if corporate leadership does not lead the way by not only setting the right example, but by stressing that cybersecurity is a priority for the firm.

“They can do this through understanding cyberthreats to their lines of business or product offerings, fostering collaboration to discuss cyber risk topics, such as emerging threats in the news, monitoring cyber risk metrics pertinent to their business area, and elevating cyber risk oversight to visible senior leadership,” according to a recent Deloitte report.

After the cyberthreat is measured, and perhaps even before, corporate leadership needs to be proactive and start moving the company toward a healthy cyber lifestyle well before it's necessary

“Culture changes happen gradually and by starting early you can have time to plan and implement a thoughtful culture initiative,” the Deloitte report said.

Part of instituting a new culture is to keep the new rules – and the thought process that leadership wants to instill in its workers – in front of them at all times. Wombat's Baker says this should involve including the employees in a number of activities. This could start with hearing first-hand accounts of cybersecurity disasters instigated by an unwary employee, or it might involve reminder emails or conducting exercises, such as practicing devising strong passwords. Even placing posters on the breakroom wall is a positive step in the right direction. Basically, it's a 21st Century version of the famous motto that helped remind workers during World War II to be mindful of security risks: “Loose Lips Sink Ships.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.