When I ask people what the greatest threat to the security of the data in their business, I typically get a range of responses that relate to technology. Many people say the cloud, or the Internet of Things. Wi-fi is another ‘threat' that comes up regularly. On the other hand, some people cite various individuals or groups as the biggest threat – sneaky competitors, teenage hackers and even North Korea are also regularly brought up.
But the correct answer – the most underappreciated threat to any business, large or small is its own people. That's not to say that a business's employees are out to get them or maliciously steal from the company, but a workplace culture that is lax with security, that does not encourage staff to be vigilant and does not evangelise for security beyond the security or IT teams is the single biggest threat to a company's ongoing security.
Unfortunately, culture isn't the type of thing you can make changes to and expect an immediate impact or response – it takes time. There however are a few steps that any business can take in ensuring that security is taken seriously.
1. Build a community – the definition of a community is a group of people sharing a common interest. Whilst in theory, your business should automatically be a community of workers sharing a common goal, anyone who has had a role across siloed departments knows this is not always the case. The more we can break down barriers within an organisation, the more steeled the company will become when it comes to ensuring a secure environment
2. See something? Say something – employees should be encouraged to report bad security practices under an amnesty policy. For the most part, employees are switched on when it comes to security, they can recognise most phishing attacks and they know the importance of strong password. If we can combat the trend of acceptance of this is simply ‘part of doing business' we can work to fix
3. Finding the right people – Once upon a time infosec departments were full of engineers, white-hat hackers and the stereotypical geeks. But we're seeing this start to morph as organisations wise up to the fact that often their security problem is not a technical problem – it's a communication problem. Journalists, public relations practitioners, marketers and human resources experts are now just as common within the security department as the traditional infosec individual
4. The hiring process – new employees are like a sponge for workplace culture. Those first weeks, days and even hours are crucial for instilling the types of behaviours that will become habit throughout their tenure at an organisation. Because of this, security professionals need a seat at the table when it comes to the induction of employees. IT policy needs to be more than just a tick box exercise on an induction checklist.
Whilst staying one step ahead of malicious technology will always be imperative in ensuring your valuable data remains safe and secure, it's no match for an internal culture that rewards vigilance and community.
Consider the old analogy “give a man a fish and feed him for a day, teach a man to fish and feed him for a lifetime”. It holds true here. Providing employees with the technological tools to protect your data is important but will only take you so far. In order to truly secure your data, its culture which becomes your first, and most important line of defence.