A Security Conscious Cohort - Part 1: Defining a New Norm

by Security Centric, on 13/12/2018 12:41:00 PM

As high-profile breaches produce increasing public attention, effective information security is more important than ever. Cyber incidents have a potential impact comparable to natural disasters. It is increasingly insufficient for organisations to achieve the bare minimum required for regulatory compliance – real protection is necessary.

Corporate army against grey background

A competent cyber security strategy depends on people, process, and technology. Technical protections have their place but can only do so much to defend against an ignorant or uncaring workforce. For example, the vast majority of notifications submitted as part of the Australian Notifiable Data Breaches scheme (NDB) were caused by direct human error or phishing, which are most effectively combatted by an educated, security-conscious workforce. Too often, organisations attempt a technical solution for a human or procedural problem.

A successful security program is reliant on appropriate policies and procedures but is ineffective without people who adopt and implement them. This applies to IT and security staff, who are needed to implement technical controls, but also to the rest of the workforce. It is unfortunately common to think that security is handled solely by a specific department and is not of concern to the average individual. It is crucial for management and employees to recognise both that they are an essential part of the organisation’s security posture, and that security is important.

Although less tangible, a security-conscious cohort is a very valuable asset. Vigilant employees mitigate the most common avenues of attack and data leakage. They are a vital defence against physical intrusion, and greatly reduce its impact. Utilised correctly, they can detect and report phishing attempts missed by technical filters – alleviating a potential intrusion and used to improve the technical filter.

There will always be a spectrum of security understanding within an organisation’s population. It is management’s responsibility to encourage and reward those individuals who have an increased appreciation for security. This positive reinforcement ensures those individuals remain alert and their colleagues are encouraged to improve. Without recognition, the attentiveness of these individuals will naturally drop to the status quo, resulting in a gradual waning of the organization’s overall security posture. By creating a culture of information security awareness, the weaker individuals (who are the primary human risk) will naturally adopt better habits.

The next instalment in this series will explore specific strategies for achieving improvements to cultural security consciousness.

Topics:Fundamentals

Comments

Finally, an actionable blog

The purpose of this blog is to make available the real-world lessons, experience, observations and mistakes that are part of the daily life of a group of cyber security professionals.

Read about:

  • What mistakes organisations are making (anonymously of course!)
  • What effective actions are available to quickly and economically achieve effective protection (without buying new kit)
  • Trends we're seeing, via our incident response and forensic investigation capabilities
  • And sometimes, just frustrations about what is wrong with cyber :|

Subscribe to Updates