Story image

Workplace culture: The first line of infosec defence

07 Jun 2018

When I ask people what the greatest threat to the security of the data in their business, I typically get a range of responses that relate to technology. Many people say the cloud, or the Internet of Things. Wi-fi is another ‘threat’ that comes up regularly. On the other hand, some people cite various individuals or groups as the biggest threat – sneaky competitors, teenage hackers and even North Korea are also regularly brought up.

But the correct answer – the most underappreciated threat to any business, large or small is its own people. That’s not to say that a business’s employees are out to get them or maliciously steal from the company, but a workplace culture that is lax with security, that does not encourage staff to be vigilant and does not evangelise for security beyond the security or IT teams is the single biggest threat to a company’s ongoing security.

Unfortunately, culture isn’t the type of thing you can make changes to and expect an immediate impact or response – it takes time. There however are a few steps that any business can take in ensuring that security is taken seriously.

1. Build a community – the definition of a community is a group of people sharing a common interest. Whilst in theory, your business should automatically be a community of workers sharing a common goal, anyone who has had a role across siloed departments knows this is not always the case. The more we can break down barriers within an organisation, the more steeled the company will become when it comes to ensuring a secure environment

2. See something? Say something – employees should be encouraged to report bad security practices under an amnesty policy. For the most part, employees are switched on when it comes to security, they can recognise most phishing attacks and they know the importance of strong password. If we can combat the trend of acceptance of this is simply ‘part of doing business’ we can work to fix

3. Finding the right people – Once upon a time infosec departments were full of engineers, white-hat hackers and the stereotypical geeks. But we’re seeing this start to morph as organisations wise up to the fact that often their security problem is not a technical problem – it’s a communication problem. Journalists, public relations practitioners, marketers and human resources experts are now just as common within the security department as the traditional infosec individual

4. The hiring process – new employees are like a sponge for workplace culture. Those first weeks, days and even hours are crucial for instilling the types of behaviours that will become habit throughout their tenure at an organisation. Because of this, security professionals need a seat at the table when it comes to the induction of employees. IT policy needs to be more than just a tick box exercise on an induction checklist.

Whilst staying one step ahead of malicious technology will always be imperative in ensuring your valuable data remains safe and secure, it’s no match for an internal culture that rewards vigilance and community.

Consider the old analogy “give a man a fish and feed him for a day, teach a man to fish and feed him for a lifetime”. It holds true here. Providing employees with the technological tools to protect your data is important but will only take you so far. In order to truly secure your data, its culture which becomes your first, and most important line of defence.

Article by Bitdefender senior e-threat analyst Bogdan Botezatu.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
WatchGuard announces A/NZ partners awards
Four Australian companies were named partner award winners at the WatchGuard conference in Vietnam.
Telstra’s 2019 cybersecurity report
Cybersecurity remains a top business priority as the estimated number of undetected security breaches grows.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Why cybersecurity remains a top business priority
One in two Australian businesses estimated that they will receive fines for being in breach of new legislation.