0

DEREK SMITH: The culture of information security awareness

Cybercriminals enjoyed an excellent year in 2021. According to positive technologies, a cybersecurity leader to many Fortune 100 companies, the “number of attacks on retail more than doubled from 2018–2019 to 2020–2021” with most attacks targeting services and customers. Even with security innovations, this presents a grim picture for businesses and government agencies. A cybercriminal’s easiest target remains unsuspecting employees.

In academia and in practice, there has been increasing recognition of the significant role that the human factor plays, and it has also been established that technical solutions alone cannot effectively mitigate security breaches. To raise awareness of security practices, it is not enough to simply add more training but to build a culture of creativity, sensitivity, and engagement among employees.

This article briefly discusses several points relevant to establishing a culture of information security awareness.

Consider Breaches from A Risk-Based Perspective

As threat landscapes become increasingly complex and evolving, business networks require risk-based strategies that accurately identify and mitigate business risk. Two internationally recognised frames that can assist are NIST Cybersecurity Framework and ISO 27001. Both follow a risk-based approach and are considered technology neutral. An effective risk-based, initiative-taking cybersecurity strategy has three critical components for successful implementation – Risk scoring and quantification, vulnerability prioritisation and exposure analysis.

Deliver engaging education solutions

Creating an awareness culture requires honest and open communication with staff. A good preventative strategy begins with employee education, and someone who is motivated to do so is the best candidate because their natural passion of the topic can translate positive energy into a subject that may not be exciting for many employees. Senior VP at MasterCard, Jon Brickey noted recently, “at Mastercard, the security department created online escape rooms and modules presented in virtual reality to encourage robust year-round engagement.” However, leaders must be aware that employee engagement has its limitations.

Let go of checking-the-box thinking

Scannable and patchable reactive approaches are slow, laborious, and expensive. False alarms waste valuable resources by failing to catch actual threats. Thus, today’s most critical assets can no longer be protected by this reactive detect-and-respond strategy alone.

Compliance is commonly misunderstood as the means of ensuring security. Many organisations follow a “check the box” thinking, which means they meet the minimum requirements of the frameworks they have chosen. Because of today’s adversaries’ agility and strategies, companies must be aware of their unique security weaknesses and attack pathways and close

any security gaps as quickly as possible. It is of utmost importance for organisations to take steps to strengthen their security posture that goes beyond meeting minimum security requirements and adhering to regulatory requirements.

Conclusion

In short, the security culture of an organisation can be developed and strengthened by focusing on understanding, developing, and strengthening employee ISA through considering a risk-based approach, delivering engaging education solutions, and letting for of check-the-box thinking.

• Derek Smith Jr. has been a governance, risk, and compliance professional for more than 20 years with a record of leadership, innovation, and mentorship.

Comments

Use the comment form below to begin a discussion about this content.

Sign in to comment