Building an Internal Security Culture that Supports Massive Organisational Growth
Business growth is a natural objective for most organisations. Of course you want your enterprise to grow and expand within your industry. That’s a given.
Unfortunately, this type of growth can be a double-edged sword simply because of the security concerns it creates. The more employees you have, the more difficult it is to oversee.
Maybe your security was first class when you only had 100 employees. But how do you stay secure if you go from 100 employees one year to 250 the next and 500 the next?
It’s a legitimate quandary.
Experts predict cyber crime damage will reach $6 trillion annually by 2021. Even in 2018, the statistics are terrifying: right now, hackers are winning the cyber war. It is vital to build an internal security culture that’s capable of supporting organisational growth, and has the ability to detect and manage new cyber threats as they arise.
But this creates one very pressing question.
How do you scale and still remain security-centric?
Get Everyone in on Security
One of the biggest obstacles that growing enterprises face is employees having the notion that security is someone else’s responsibility. The way they look at it, it’s solely limited to an IT manager or department, and it’s simply not their concern.
This is problematic for obvious reasons. Employees are unlikely to take security seriously and may engage in activities that put your organisation at risk.
A 2016 Ponemon Institute report even found that employee negligence was the top concern for more than half (53 percent) of businesses as it relates to data breaches. Often a critical security threat isn’t the result of nefarious activity from external sources. It’s simply the result of employee carelessness.
It’s also important to note the variance between internal and external threats. While companies may assume that external cyber attacks are their biggest threat, IBM’s 2016 Cyber Security Intelligence Index found that 60 percent of all attacks came from the inside. Of those attacks, 75 percent involved malicious intent and the remaining 25 percent were inadvertent. These statistics make it clear that internal threats are your biggest concern.
This is why it’s so important to instill a sense of enthusiasm for security throughout your organisation. You want to get everyone in on it. It’s a mindset that relies upon prevention and taking a proactive approach.
Rather than security being siloed to just a handful of individuals, it becomes ingrained into your culture. When there’s a collective responsibility and attention to detail, your risks are significantly mitigated.
While this is important for organisations of any size, it becomes mandatory as your number of employees increases.
You could make the argument that a lack of cyber security knowledge among your employees is far more dangerous than the iniquitous motives of cyber attackers.
The 2016 report from the Ponemon Institute surveyed healthcare organisations to identify the threats they were most worried about. Interestingly enough, they found that 69 percent were most concerned with employee negligence, and 45 percent were most concerned with cyber attackers. That’s a 24 percent difference.
Perhaps the best way to quell these fears is to provide team members with the necessary education and training. The more knowledge they have, the better prepared they’ll be to navigate their way through daily tasks while maintaining rigorous security standards.
Adobe is a perfect example of a company that places a huge emphasis on cyber security education and requires many of its employees to undergo rigorous training. Their ASSET Software Security Certification Program is designed to greatly increase employee knowledge and maximize the security of end products and services for the consumer.
They even have different course levels where employees are assigned belt colors like you would see in the martial arts. White belts have just a base understanding of security concepts, green and brown belts are more advanced, and black belts are at the top with the highest level of comprehension.
While this may be excessive for your enterprise, it’s an example of what a security-minded culture looks like. Other companies require staff to complete a course once a year to ensure that they stay abreast of digital security trends and common threats their organisation may encounter.
Whatever path you choose, the short-term investment in employee education should pale in comparison to the long-term benefits. With global spending on cyber security predicted to reach $1 trillion by 2021, funding security education is just a drop in the bucket.
Establish Relevant Policies and Procedures
Every single person within your organisation from the top to the bottom should have a clear understanding of what is and what isn’t acceptable in regards to security. This is important not only for eliminating confusion but for ensuring a level of consistency across the board.
Establishing a set of policies and procedures makes it explicitly clear which behaviours are acceptable and makes employees accountable for their actions. It also provides an outline for what subsequent discipline entails if a policy is violated.
Some specific areas you may want to touch on include:
- Internet usage – Which sites, documents, files, etc. can and cannot be accessed
- Password protection best practices – Creating secure passwords and routinely updating them
- Procedures for handling suspicious emails to prevent phishing attacks
- Guidelines to avoid clicking on questionable links
- Social media and blogging usage – Addressing information employees can and cannot share publicly
- Software updates – Ensuring software is continually updated to mitigate threats
- Not leaving devices unattended
- Promptly reporting potential security threats
- Disciplinary action that will be taken for violations and infractions
These are just a few examples, and building a customised security framework can differ drastically from company to company. Therefore, you’ll want to thoroughly analyse your specific needs and concerns when deciding which policies and procedures to implement.
If you’re looking for policy templates, you can find a variety through this resource from SANS.
Also, be sure to create a security policies and procedures checklist for the HR onboarding program for all new staff. You can then check off each of these areas one by one to ensure that each new hire has a thorough understanding and comprehension of these policies and procedures. You may even want to include a test to gauge their command of these topics.
Address Mobile Device Security
Mobile devices permeate most of today’s workforces, and the Bring Your Own Device (BYOD) movement is in full swing. In fact, Citrix reports that on average, employees use 3+ devices daily for work activities, and the number of devices managed among enterprises grew 72 percent between 2014 and 2015.
Although this can facilitate collaboration and often makes teams more efficient, it creates some serious security concerns. The Ponemon Institute even points out that mobile device insecurity is a major worry for 35 percent of businesses.
Some specific issues include:
- Device attacks where unauthorized users gain access where they either control the device and its data or execute a denial of of service (DoS) attack
- Data interception where sensitive information is compromised by eavesdropping on Wi-Fi communication
- Employees mistakenly download malicious apps
Another major threat that mobile devices poise is the ease in which they can be lost or stolen. Because they’re so lightweight and portable, employees often bring them along everywhere they go. If they wind up in the wrong hands, there can be some catastrophic consequences.
So how can your organisation increase its mobile device security?
It revolves around two major tactics which were previously discussed – establishing policies and proper training. That right there can minimize a large percentage of threats.
You may also want to invest in a mobile device management (MDM) solution, which is a type of software that enables you to closely monitor and manage all of your employees’ mobile devices.
While this may be more of a luxury if you’re a small business, it can become a necessity as you continue to grow. If you get to the point where you’ve got 250+ employees, it’s basically essential.
Michael Davis, CEO of IT security consulting firm Savid Technologies explains, “An MDM will certainly help you manage risk. There is no way to do risk management of mobile devices by hand. There are simply too many different security knobs to turn and different users to deal with in most organizations.”
Encourage Cross Team Collaboration
Collaboration in general is critical to an organisation’s overall success. Seldom does an effective team work in isolation.
But it’s especially vital when you’re talking about security.
When various teams and departments openly communicate and collaborate with one another on security related matters, it becomes easier to build an internal security culture. It keeps everyone on the same page, which can go a long way in neutralizing threats.
There are a few different strategies for improving collaboration. One is to devote entire meetings or at least chunks of meetings to discussing security practices. You might use this time to point out concerns, particular areas of vulnerability, upcoming updates and so on.
Another idea is to create a digital resource where different departments can communicate and coordinate their efforts. This could be something as simple as setting up a LinkedIn group or Slack thread that’s dedicated entirely to company security.
An added plus is that this can serve as an excellent onboarding resource as you inevitably add new members to your team.
It’s a Process
Transforming a company from one with basic security parameters to one where security is completely entrenched in its culture doesn’t happen overnight. It takes time.
But the effort should be well worth it, especially when you consider the escalating security threats that are affecting companies across nearly all industries. The Global State of Information Security Survey 2017 even found a 38 percent increase in the number of information security incidents in a single year.
Weaving security into the fabrics of your culture should enable you to undergo massive organisational growth, while simultaneously reducing the chances of a breach occurring.
Which element of security do you feel are most critical as your organisation expands? Please share your thoughts: