Why Most Security Plans Fail: How to Build a Cyber-Security Focused Corporate Culture
Organizations struggle to implement and maintain a cyber security posture that is appropriate for today's threat landscape. They implement policies and procedures with the intent of protecting their data. Under the assumption that policy violations are typically the result of ignorance or malicious behavior, they strive to educate their workforce on the importance of adhering to the policy and the ramifications of a violation. However, most of these efforts fail to accomplish the goal of improved security. A recent study in the Harvard Business Review indicates that other factors come into play when users are faced with compliance tasks. In the study, which focused on remote workers during the pandemic, it was found that most policy infractions were the result of intentional yet non-malicious violations, largely driven by employee stress. According to the study, "when asked why they failed to follow security policies, our participants’ top three responses were, 'to better accomplish tasks for my job,' 'to get something I needed,' and 'to help others get their work done.'” This last motivator, the desire to help others cuts to the core of the Managed Service Provider's role. After all, that's what they are here to do, help others. And hackers know that. The recent breaches at MGM Grand and Caesars were both the result of a socially engineered password reset request to the third-party help desk employed by the casinos. In the desire to "help" the end user, the helpdesk technician most likely circumvented the identity verification process in some way. Security policies can also create hinderances to productivity and increase stress. According to the study, "Too often, IT departments develop protocols in a vacuum, with limited understanding of how these rules might interfere with people’s workflows or create new sources of stress."
Given the competing demands of productivity and a helpful environment versus cyber security it is critical that the culture of the organization instills an inherent desire to remain secure. So how does an organization implement a cyber security focused culture?
Corporate culture is established by executive leadership. For the workforce to take cybersecurity seriously, corporate executives need to internalize the need and incorporate it into everything the company does. They don’t need to understand the technical details, but they need to listen to, and support, those that do. Their messaging must reinforce the need for vigilance and compliance at all levels. Larger organizations may implement a Chief Information Security Officer (CISO) position as a member of the executive team or designate a senior security engineer that reports to the executive team regularly. However, as the head of the organization the CEO or Executive Director must continually reinforce the importance of cybersecurity at every opportunity.
Organizations should form a "Security Council" in charge of overseeing the policies and procedures of the organization with regard to cyber security. The council is comprised of both technical and non-technical employees from all levels of the organization. Members should have a thorough understanding of the workflow of the organization, the data the organization holds, and the need to balance maximal security with the need for productivity. The council should meet regularly. In addition to developing policies and procedures the group should review the performance of the organization by reviewing internal audit results. The council can serve as a platform to review proposals by non-members for additional tools, services, or policies to ensure they are in alignment with the security needs of the organization.
Security Awareness Training has become commonplace within organizations. They train our employees to identify phishing attempts, practice basic cyber hygiene, and keep a watchful eye. They even test them by sending fake phishing emails and tossing USB drives in the parking lot. However, they often fail to teach them how their role impacts the security of the data for which the organization is custodian. Regardless of whether the organization is in a regulated industry, company data must be protected. In regulated industries it is even more critical the employee understand their role in maintaining compliance. To perform their job, many employees must be granted access to confidential data. However, employees must be trained to take that privilege seriously and not abuse it. It may be tempting to peek at the medical records of that celebrity that was just admitted to the hospital in which you work (TMZ might even pay a pretty penny for that information). Copying confidential data to your laptop so you can work on it at home after hours seems like it would improve your productivity. However, these are violations that can have significant consequences. Employees must be continually reminded of the proper handling of the data. Department managers can support this effort by including the topic of data security in their staff meetings regularly. Have the CISO or a member of the Security Council present the latest security intel at a staff meeting occasionally.
Compliance is a process, not an abstract idea. It needs to be integrated into the workflow of the organization. Wherever possible, security measures or compliance requirements should be built into procedures such that a task cannot be completed without verification that the security measure has been accounted for. Depending on the task and process, this can be accomplished using workflow software, automation, peer review, or checklists. Regardless of the method, employees must be held accountable to ensuring the process is followed and completed properly.
However, employees make mistakes. Even the best processes can be circumvented, whether accidentally or maliciously. The organization must foster a culture that is supportive of employees stepping forward to report errors they have personally made. These must be viewed as learning experiences and should carry no punitive consequences. Employees witnessing misconduct by others must feel comfortable bringing it to management's attention. However, According to a 2022 Gartner survey, only 54% of employees feel that reporting workplace misconduct is the right thing to do. Only one-third believed that reporting will lead to a better work environment or improve their team's morale or performance. And only one-in-five think reporting will be good for their career. Employees reporting bad behavior of others must be protected from retaliatory actions. Employees must see benefit for their team or career when reporting bad behavior. The company must be transparent about the outcomes of reports received. The organization should implement mechanisms by which employees can report potential security infractions without fear of retribution.
In the words of John Wooden, legendary basketball coach: "The eight laws of learning are explanation, demonstration, imitation, repetition, repetition, repetition, repetition, repetition." All these concepts need to be reinforced continually. An internal marketing campaign might include physical posters, emails, newsletters, and even games designed to educate in an entertaining way. By ensuring cybersecurity is emphasized from top to bottom, organizations will be far more likely to succeed in the implementation of their security plan.
OTX Roundtable GRC
The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here.