Cybersecurity as a Culture

How aligned is your team's behavior with regard to protecting data and infrastructure?

By now, we should all be understanding the significance that cybersecurity has on our businesses, our government and in our personal lives. With greater frequency businesses are being conned into making false financial transactions by criminals impersonating customers or vendors. We see entire municipalities across the country falling victim to ransomware and being taken down for weeks and even months unable to provide basic services to their citizens as they try to rebuild. With our expanding digital presence and our private Personally Identifiable Information (PII) being used and recorded by more and more service providers, both identity and PII theft continue to rise, requiring us as individuals and the businesses that record our information to increase vigilance in securing and protecting our information.

Privacy and data protection needs to inform our business decisions and our individual choices. More than not, we continue to see businesses choosing convenience over security. Time and again, we see the selection of free and unsecured solutions over more secure and reliable options. In some ways these decisions are cultural, we want things fast, and with so many companies essentially offering free services in exchange for our data, we want it free. It’s time for us to put a value on our information and the security of it. This awareness should permeate our business culture from our lead decision makers and all the way through to our aspiring interns.

When we are concerned with securing privacy, we make better business decisions. By doing so we are both protecting and investing in our employees, our customers and in our business.

Valuing convenience over security is to ignore risk. Bad choices leave your business susceptible not only to the real financial risks of hackers but to the strengthening hand of governance and steep fines. The European Union has implemented General Data Protection Regulation (GDPR) and New York State, the SHIELD Act. Both regulations are designed to protect PII and to punish organizations that don’t protect it by imposing significant penalties.

Our awareness needs to inform our top-level decision making. Clearly cybersecurity software & tools are critical. Backup is critical, and regularly testing the backup recovery is critical. Patch updates are critical. Penetration tests are critical. Internal threat scans, breach detection, multi-factor authentication, all essential. But our awareness also needs to inform our everyday choices as we are bombarded with notices to click here and to follow there. Proofpoint’s “Human Factor” report claims that 99% of cyber attacks rely on human intervention. Considering this extreme metric, it is clear that our people need to be an active part of the cybersecurity solution. Is your business culture a liability? What if it was a strength?

Where do you start?

We believe an organization’s culture should be immersed in security to the point that with every action your people execute, cybersecurity is priority. It is an attitude and a mindset, combined with enforceable policies and tactics customized to the needs and workflows of your business. Your solutions should reflect your privacy concerns and compliance requirements. Training is essential during on-boarding and as an ongoing process. Your team should feel as though they are the first & last line of defense in a cyberattack – because, in many ways, they are. Privacy and cybersecurity need to be part of the conversation.

So what is the culture of your organization when it comes to cybersecurity?