At risk of attack
A weak information security culture means your company is vulnerable.
With the marked increase in cyber attacks and ever tighter legislation around data privacy, it's imperative that companies prioritise security activities and interventions. Typically, companies tend to focus on awareness of security but fail to change behaviour. Unless the behaviour of every individual in the group is modified, the interventions will not reduce the risk of a security incident.
It is important to have the right policies and procedures in place, but awareness of protocols is not enough. In order to really combat the risks of a security breach in a company, it has to go beyond awareness to really impacting conscious behaviour. This year - 2017 - needs to be the year of working towards a security culture.
A security culture is an organisational culture where not only are all the right security protocols in place, but the correct behaviour and response to security becomes subconscious, instinctive and effortless.
Companies have to start with building awareness of why security is important and how to reduce risk. Then they move on to changing behaviour in mitigation of risk and in the event of an incident. There are elements of everyone's behaviour - be it professional or social, public or private - that must change. This is all about individuals doing things right the first time. Ultimately, the goal is to achieve a strong culture of security that becomes a fundamental part of the organisational behaviour.
Some of the scenarios that occur in the absence of a security culture include sharing passwords or writing them down; leaving computers unlocked while away from the desk; letting guests wander around the office unaccompanied; leaving confidential documents in a public place; using weak passwords to access company systems; storing confidential information on a personal device; connecting to unsecured WiFi... unfortunately, the list is long and the potential for exploitation is high.
2017 needs to be the year of working towards a security culture.
No matter how well documented a company's procedures are or how clear and available its security policies, if it has a weak security culture, the company is vulnerable.
In today's world, no company is going to be able to operate without being both physically and digitally secure. Companies have both legislative and contractual obligations around the security of products, data and employees. If these obligations are not met, the company will suffer reputational and financial losses. If an employer loses the trust of its client or market, the impact will also be felt by the employees. To that extent, security isn't just the responsibility of the organisation, but of all of its stakeholders as well.
There are also benefits to the employee on a personal level when working within a security culture; for example, a sense of physical safety while working, and a sense of digital safety. If an employee works for a company that takes security seriously, that employee knows his/her personal information is safe, and s/he is more aware of how important it is to keep personal information safe online.
A strong security culture promotes stability, trust and increased revenue potential, making the company better able to award staff.
Legislation and regulation
It's not just about passwords and being safe online; data privacy legislation and regulation defines an organisation's overall posture towards data and client information - how it is gathered, stored and used.
Employees need to understand what the relevant data privacy legislation and regulation means for them, and how they need to act to ensure the company remains compliant.
The Protection of Personal Information Act specifies what information a company may gather about a person/juristic person, what it may be used for, and how long it may be kept. Employees need to understand how this impacts their day-to-day activities, and how it affects the company, so it isn't just one more box they need to tick, but becomes an integral part of how they do their jobs.
In the security world it's a constant journey, never a destination...