Story image

Create a safer internet by building a culture of security

07 Feb 2018

Yesterday marked Safer Internet Day – a day that promotes the safe and positive use of digital technology. This year’s theme “Create, connect and share respect:

A better internet starts with you" is a call to action for every stakeholder in the Internet community to play their part in creating a better, safer environment for everyone. So, who must we count on to spearhead the charge for a safer Internet?

Organisations bear huge responsibility when it comes to creating a safer internet

Over the years, technology, especially software-driven applications, have become increasingly ubiquitous in our society. Software controlled devices and applications are now the lifeblood of modern commerce and our critical infrastructure – the digital economy.

On a personal level, software powers a wide spectrum of functions. In Singapore, according to a 2017 study conducted by Ernst & Young (EY), consumers spend close to 13 hours daily on their digital devices. They depend on software applications on their connected devices to perform a wide array of activities, including online messaging, social media, news updates, gaming and work purposes.

When we consider the time that consumers spend on applications developed by businesses and government bodies, and the massive amount of personal, sensitive data that pass through these programs, it is evident that these organisations have a huge responsibility in creating a safer Internet by designing secure, reliable online services and content.

The human element of cybersecurity

In order for organisations to ensure a robust cybersecurity infrastructure, security must not only be built into software, systems and processes; it is also imperative for it to be incorporated into the organisation’s DNA and ingrained into how its employees think, create, and connect.

According to various surveys on data breaches, humans can be the weakest cybersecurity link within an organisation. It was reported that 90% of data-loss incidents and breaches have a phishing or social engineering component to them.  Closer to home, approximately 40% of executives in Singapore reported that their organisations have fallen victim to phishing attacks, making it the most pervasive cybersecurity threat faced by organisations in the country.

Building a culture of security with organisations

To address this issue, organisations need to recognise that there are no silver bullets or quick fixes. It will require commitment and effort from everyone across the board; it will require them to build a culture of security within the organisation.

Here are four steps that enterprises and government bodies can adhere to instill a security-centric culture.

1. Building culture change on a solid foundation

The most important step that companies can take is to base their culture on a solid foundation of good policies.  The security policies must be what organisations need their employees to do.  They need to be easy to understand and implementable.  These policies are critical not only to ensure the organisation is protected, but also in building trust among customers and partners.

2. Make sure everyone is on the same page

Once organisations have their policies in place, they will need to socialise them and get everyone on board.  Training and continuous practice to do it over and over again will help build muscle memory. 

We also do extensive testing.  If there are repeated failures, we require additional training. Finally, to help combat phishing attacks, we have started to include a notification that emails are coming from sources outside the company.

3. Bring it home

One of the best things a corporate security team can do to improve the culture of security is to provide tools for people to use not only at work but also at home. With today’s mobile workforce, providing security tools while employees are on the go or including advice for protecting home activities  extends the message and may help make some of the greatest progress in building good security habits. 

4. Accountability top-to-bottom

Company leadership needs to be ready to back up the security team when there are policy violations. A recent CA report found that 90% of IT and security professionals worldwide feel vulnerable to insider threats, with 51% of them stating that they are most concerned about accidental insider threats.

This comes as no surprise as in the current sophisticated threat environment, organisations can expect that someone will violate compliance with company security policies, intentionally or not. Besides phishing attempts, weak passwords, bad password sharing practices and unlocked devices have been cited as the biggest enablers of accidental insider threats.

Leaders need to be part of the security-aware culture, and be especially careful in following company policies. Their actions in this area will be watched closely, and if the executives show that they do not consider the company security policies important, few of their employees will.

Leading the charge to create a safer internet for everyone

As active members of the Internet ecosystem and the purveyors of software applications that form the bulk of our digital universe today, organisations shoulder enormous responsibility in ensuring the Internet is a better and safer for everyone.

By cultivating a culture of security, both government bodies and enterprises can prevent their employees from becoming a weak cybersecurity link and greatly strengthen their security posture.

This enables them to deliver services and content that people trust and can safely use with peace of mind.  

Article by CA Technologies CTO for APJ, Stephen Miles.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.