Instilling a cyber security culture in the company
04 02 2019
Looking beyond the fundamental protective tools, we can sum up the key to a successful cybersecurity policy in just one word: people. However, educating and training staff in IT risks involves more than just applying a few basic rules. You also need to develop an internal “cybersecurity culture”.
According to the 2018 Cybersecurity Study by Deloitte, employees are responsible for 63% of internal security incidents. Yet, as shown by ISACA and the CMMI Institute in the 2018 Cybersecurity Culture Report, many organisations rely heavily on technology for their cybersecurity and fail to invest sufficiently in what should be their first line of defence: their workforce.
The need to develop an in-house culture of cybersecurity
Cybercriminals are skilled in identifying the weakest links in a company. Often, they look no further than the personal information shared publicly on social media. An employee’s interests, the birthdays of their children or the name of the family pet can all be used in spear phishing attacks or provide clues for hacking passwords.
“People are the greatest point of vulnerability when it comes to cybersecurity. The breach may be accidental (mistakes, forgetting or failing to respect instructions), or it might result from data compromise (unwittingly enabling malicious intrusion) or premeditation (causing intentional harm for a variety of reasons.),” says Franck Nielacny, Chief Information Officer at Stormshield.
The risk of data compromise, in particular, is increasing. “All companies and all employees can be threat vectors. This is true for mass attacks, as in the case of the WannaCry ransomware in 2017, but also for highly targeted attacks, where they are unwitting players,” warns Stéphane Prévost, Product Marketing Manager at Stormshield.
Corporate cybersecurity: everybody’s business
Even when everybody has understood the need to place people at the core of the corporate cybersecurity policy, you still have to persuade employees that cybersecurity is everybody’s business. To successfully develop a shared in-house cybersecurity culture, five key players need to be involved, according to Franck Nielacny: “management, employee representatives, HR, the head of IT security and the IT director”.
The process is far from simple, for a number of (good) reasons. First, the new security processes are generally viewed by employees as yet another constraint. At the same time, many companies have a siloed organisation that is not necessarily favourable to teamwork. A shared culture cannot develop effectively with only minimal cooperation between departments. As a result, it appears difficult to collect practical real-time feedback on each company’s vulnerabilities and to find a way to address them quickly.
The cybersecurity culture needs to place even greater emphasis on integrating security from an early stage, in the business software development cycle. This is one of the best ways to educate all corporate departments on managing sensitive data! With the GDPR, “Security by Design” has even become a standard, ensuring that the software itself does not itself become the weakest link in the security process. Often, however, it is the lack of qualified in-house staff that hampers efforts to deploy an ongoing information policy on IT risk.
Also, the emergence of a cybersecurity culture can also be hindered by an approach that is too top-down. Getting employees on board requires active involvement from senior management as well as middle management. As a result, the end user and his/her needs must always be the key concern. For cybersecurity to be effective, it needs to become part of everyday practices. At Stormshield, one of the measures put in place to instill a cybersecurity culture involves ‘punishment by pastry’. If an employee leaves their workstation open when they are not at their desk, their email is ‘hacked’ and they have to buy a round of croissants for the whole office. This method has proved to be highly effective.
Implement protective solutions tailored to business use
However, not all companies are immersed in these issues to the same extent. Many have a far more distant relationship with cybersecurity. For these companies, the urgent need to educate employees is clear. “A relatively well-informed user is already able to avoid a significant number of risks," points out Matthieu Bonenfant, Chief Marketing Officer with Stormshield. Particularly as the threat can frequently be traced back to employees who are careless or unlucky, rather than truly ill-intentioned.
Franck Nielacny adds, “it’s essential right from the start to understand how employees use tools and critical data, to ensure that appropriate solutions are put in place”. One of the problems to be addressed in the way employees use IT tools is shadow IT. This is when employees use new apps for business purposes without consulting the IT department first. Another key requirement is to make sure that “all security procedures are a smooth fit with the business processes of each department,” he adds.
Last, we also need to take account of mobile working. “With the development of mobile working, connected objects and external ERP systems, it no longer makes sense to maintain an internal security perimeter. Today, companies can build a reinforced security policy based on greater segmentation of the data flow, for example. By designing the system as a zero trust network, they can contain threats and prevent propagation,” concludes Stéphane Prévost.