Why Cybersecurity in the Workplace is Everyone’s Responsibility
Does your organisation store confidential data? Does it deal with personally identifiable information to conduct business operations? Do you need financial data in order to transact? The obvious answer to these questions is, “yes.”
Organisations today, have information. Lots of it, in fact. Varied formats of information. Organisations transact with this information. They store this information. Quite often the information does not belong to the company; it belongs to third parties (such as customers, business partners, suppliers etc).
Businesses are beginning to realise that having information, especially sensitive third-party information, makes them a target. News headlines remind us daily: cyber attacks are growing. Cyber threats are increasing in frequency, prominence and severity. Organisational reputation and the business itself are faced with constant risk.
A 2018 Insider Threat report by Computer Associates found approximately 90% of firms deem cyber threats as a significant concern. While many respondents feel content with online banking and shopping, about 70% were uncomfortable with sharing identity and personal data online.
It is safe to say that cyber threats are a matter of grave concern – and equally safe to say that cybersecurity must be a key mandate for organisations.
Implementing Cybersecurity In The Workplace Is Vital
It is unquestionable that we live in an era of persistent cyber threats.
The Notifiable Data Breaches Quarterly Statistics Report reveals that criminal attacks in Australia have almost doubled to 64%, making them the largest source of data breaches. Add to this the vulnerabilities within a workplace and it is little wonder why implementing cybersecurity in the workplace is of extreme importance.
Even though the notion of cyber threats invokes thoughts of external parties, such as hackers, attacking an organization’s systems or executing theft of data, the most significant weakness in workplaces are generally the people on the payroll; the employees. With three-quarters of breaches occurring due to human error or negligence, the internal threat often outweighs the peripheral peril.
Negligence allows hackers to use even the most basic techniques to gain access to confidential information; thus, illustrating a workplace has threats on the inside as well as on the outside.
Many organizations forget that the external perpetrators usually do not target an organisation’s technology. They target employees through sophisticated phishing emails that look like business as usual communication. The volume of these attacks is overwhelming. The RSA Anti-Fraud Command Center revealed that there is a new phishing attack every 30 seconds!
Organisational leadership and management are coming to grips with the fact that their environment can only be secured by keeping cybersecurity top-of-mind. Consequently, cybersecurity has become a board decree. CEOs have it as part of their mandate. CIOs have clearly defined security goals. The CISO title is becoming more prominent. The security function is taken more seriously with increasing budgets and personnel guarding the digital fort.
However, the C-Suite and above is not where the battle of, and for, security is fought. To truly combat cyber threats, organisations will need the participation and collaboration of each and every function, and each and every human resource, irrespective of their vocation or employment arrangement.
The 2018 Verizon Data Breach Investigations Report reveals that 4 per cent of employees click on phishing links which introduce a workplace to a severe risk. Too often, organisations rely on designated security personnel to perform specialised security functions, thus, limiting another staff’s contribution to this task. While it is vital for security teams to be attentive to security systems, each member of the workplace, from the C-Suite to senior leadership to middle management to frontline, can weaken or strengthen the organisation’s security posture. Therefore, cybersecurity in the workplace is everyone’s job, and emphasis on security culture is essential.
Cybersecurity Workplace Culture
A cybersecurity workplace culture is a culture where security is ingrained and infused in every aspect of the workplace. It is built into the thinking and planning. It is included in the application, systems and processes. It is a part and parcel of how work is done. Thereby, minimising the chances of a cyber-attack. A strong cybersecurity posture is heavily reliant on an organisation’s culture. Building a cybersecurity workplace culture not only emphasises and reinforces security behaviours among staff but it also helps to protect your organisation against a cyber-attack.
Designing and building cybersecurity workplace culture
Establishing a cybersecurity workplace culture, while widely considered to be a tough mission to accomplish, is not as daunting as you may think.
Consider a few elements, the first of which is the attitude. The attitude towards cybersecurity, including how the management implements cybersecurity while ensuring educational and communication plans are in place; all contribute to successfully building a cybersecurity workplace culture:
Check C-Level Attitudes Toward Cyber Security
An organisation’s attitude towards cybersecurity, as a collective, plays a significant role in how employees incorporate it into their everyday work behaviour. It is neither fair, nor realistic to expect the frontline to be motivated about cybersecurity if the C-Suite, senior leadership and management is not committed to the mission.
Hence, it is mandatory that organizational leadership and management at all levels, builds a positive attitude around cybersecurity awareness and encourages the workforce to become enthusiastic about building a culture of cybersecurity. Achieving this enhances the employee’s awareness, consequently, ability, to minimise cyber risks.
Every workplace is faced with cyber risk and cyber threats. The right attitude helps drive appropriate behaviours across the entire organisation and at all levels.
Management must Lead
Organisational leadership and senior management set the tone in organizations. They influence mindsets of others. They can help generate awareness for the factors and issues that matter. If leadership and management embrace cybersecurity as a priority and propagate it as a message, it will be taken more seriously. Leadership and management training on relevant components of cybersecurity and training for middle management and frontline on cybersecurity enhances awareness and mitigates risk. Transfer of cybersecurity knowledge and best practices within the workplace also help enhance awareness and reduce cyber risks.
Leadership and management must support investments related to cybersecurity initiatives, and they must model good personal security habits based on guidelines distributed throughout the workplace. Leaders play a key role in building a cybersecurity workplace culture. They also play a key role in helping drive the implementation of cybersecurity practices in the workplace.
Education is Key
Once management implement a cyber-security conscious culture, the next step is to achieve employee awareness and training through various programs. IT is very much doing their job well-protecting organisations, and it is everyone else letting the team down, so employee awareness and training are essential. The training will assist in building an understanding of the risks and how to avoid cyber-attacks. Too often employees are caught off guard and unaware giving cybercriminals an unfair advantage.
Plan Ahead – Stay Ahead of Attackers
Senior staff and managers must develop a communications plan for an inevitable cyberattack incident. If employees receive regular information on the cyber incident response plan, this will assist them in incorporating it into their overall workplace culture. A communication plan consistent with regulatory requirements, legal considerations, industry best practices, and commitments made to external stakeholders must be made available to all employees.
This plan must be created with the least tech-savvy staff in mind. It must include simple, vital information such as how to protect shared folders with encryptions and passwords. Such a plan must take into account commonly used applications that contain large amounts of sensitive data, such as Customer Relationship Management (CRM) platforms. All staff should be required to use best-in-class practices for accessing cloud platforms, such as creating strong passphrases, using multi-factor authentication, and restricting access those who need it. The more information your staff have on how to keep data safe, the better your chances of surviving an attack without a severe data leak.
No plan will ensure a 100% success rate against human-based activities, but substantially reducing the risk can help manage incidents. Internal awareness campaigns can also be used to help build a cyber-secure culture. Material such as posters, newsletters and reminders are effective ways to generate “buzz” around important security themes.
Phishing Is Defeated By Everyone, Not By IT
Multi-layered security protections are necessary and essential for any workplace. However, the workplace still relies on employees to know how to mitigate an attack. Hackers are successful because their targets, you, don’t know the cybersecurity rules of the game or that they are playing at all. Phishing takes advantage of the human element by encouraging unknowing and trusting victims to click on malicious links or open malicious attachments. With phishing causing more loss of data in Australia than hacking or malware, it is something that must be on the foreground in the workplace. Most times employees do not realise they are engaging in risky behaviour that puts their workplace at risk.
Individuals damage their workplace’s brand and reputation and even lose their jobs when cyber-attacks occur, and they have been the ‘Patient Zero’. The term ‘Patient Zero’ is used to identify the person that was the entry point for malicious exploitation into their information technology environment. Something you do not want to be! To avoid becoming ‘Patient Zero’, you must be more cyber-aware, and good cybersecurity practices must be implemented to mitigate critical cybersecurity risks. Most importantly, everyone must contribute to cybersecurity in the workplace.
Cybersecurity Is Everyone’s Responsibility
To be successful in creating an enriched cybersecurity environment continuous effort and emphasis around cybersecurity in the workplace must be practised. Cybersecurity in the workplace is everyone’s responsibility. Regardless of which approach is used to implement cybersecurity practices, you have to keep your employees interested, engaged and invested in the process by making it fun, relatable, relevant and simple.
Every individual in the workplace should ensure they exercise caution when using information systems and seek guidance from responsible individuals. They must understand how their work addresses cybersecurity risks, attend training and learn about the ever-evolving cyber-attack landscape and know how to handle, store, transfer and dispose of information in the workplace.
Safeguarding assets like computers, mobile devices, and non-electronic information must be a priority, and adhering to workplace security procedures is essential. Together everyone in the workplace can make a difference to enhance cybersecurity.
Cybersecurity Is Our Job, Too…
At Stickman, cybersecurity is our full-time job. We work with our customers to make cyber security a part of everything they do, from HR process – to application development and network design – to ensuring compliance with Australian and international data security regulations.
Our services include Penetration Testing; Compliance – especially PCI DSS, APRA CPS 234, and ISO 27001; and Managed Cyber Security, which includes 24x7x365 endpoint monitoring through our own Security Operations Centre.
To find out more information on how your organisation can improve its cyber security posture, please contact us for a confidential consultation.