Story image

Workplace culture: The first line of infosec defence

07 Jun 2018

When I ask people what the greatest threat to the security of the data in their business, I typically get a range of responses that relate to technology. Many people say the cloud, or the Internet of Things. Wi-fi is another ‘threat’ that comes up regularly. On the other hand, some people cite various individuals or groups as the biggest threat – sneaky competitors, teenage hackers and even North Korea are also regularly brought up.

But the correct answer – the most underappreciated threat to any business, large or small is its own people. That’s not to say that a business’s employees are out to get them or maliciously steal from the company, but a workplace culture that is lax with security, that does not encourage staff to be vigilant and does not evangelise for security beyond the security or IT teams is the single biggest threat to a company’s ongoing security.

Unfortunately, culture isn’t the type of thing you can make changes to and expect an immediate impact or response – it takes time. There however are a few steps that any business can take in ensuring that security is taken seriously.

1. Build a community – the definition of a community is a group of people sharing a common interest. Whilst in theory, your business should automatically be a community of workers sharing a common goal, anyone who has had a role across siloed departments knows this is not always the case. The more we can break down barriers within an organisation, the more steeled the company will become when it comes to ensuring a secure environment

2. See something? Say something – employees should be encouraged to report bad security practices under an amnesty policy. For the most part, employees are switched on when it comes to security, they can recognise most phishing attacks and they know the importance of strong password. If we can combat the trend of acceptance of this is simply ‘part of doing business’ we can work to fix

3. Finding the right people – Once upon a time infosec departments were full of engineers, white-hat hackers and the stereotypical geeks. But we’re seeing this start to morph as organisations wise up to the fact that often their security problem is not a technical problem – it’s a communication problem. Journalists, public relations practitioners, marketers and human resources experts are now just as common within the security department as the traditional infosec individual

4. The hiring process – new employees are like a sponge for workplace culture. Those first weeks, days and even hours are crucial for instilling the types of behaviours that will become habit throughout their tenure at an organisation. Because of this, security professionals need a seat at the table when it comes to the induction of employees. IT policy needs to be more than just a tick box exercise on an induction checklist.

Whilst staying one step ahead of malicious technology will always be imperative in ensuring your valuable data remains safe and secure, it’s no match for an internal culture that rewards vigilance and community.

Consider the old analogy “give a man a fish and feed him for a day, teach a man to fish and feed him for a lifetime”. It holds true here. Providing employees with the technological tools to protect your data is important but will only take you so far. In order to truly secure your data, its culture which becomes your first, and most important line of defence.

Article by Bitdefender senior e-threat analyst Bogdan Botezatu.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.