Whenever a major security breach takes place, many people are left scratching their heads and wondering “How did this happen? Are the hackers really that good?”
In many cases, yes, hackers are far more sophisticated than most people give them credit for. However, cybercriminals usually have some help, and it usually comes in the form of the negligence of an average employee. Hackers depend on company employees, from executives down to the mailroom, to create openings, allowing them to gain access to organizations’ most sensitive networks.
“But I would never do that!” you might be thinking. “Besides, our IT department has all of the latest security tools in place. We have antivirus protection and firewalls. Shouldn’t that keep the hackers out?” While it’s true that antivirus programs, firewalls and other security tools do help keep networks safe from intrusion, perhaps the best weapon against hackers and cybercrime is a fortified culture of cybersecurity.
What Is a Cybersecurity Culture?
In the simplest terms, a cybersecurity culture is when everyone in the organization understands the need to keep networks and data secure, and they play an active role in that understanding. It’s an environment in which employees are trained and continually updated on security procedures, not to mention made aware by their managers of which activities are safe and which activities put sensitive data at risk. In short, it’s where cybersecurity is a top priority in every department, where everyone understands the risks, and where everyone is aware of their personal responsibility to the organization’s data security.
Unfortunately, in far too many organizations, people just assume that IT has cybersecurity “under control” and have no idea that their own behaviors and habits could be dangerous. At the same time, many IT security teams assume that employees know the risks and won’t do anything risky. These are dangerous assumptions.
To determine whether your company has a culture of cybersecurity, take this quick cybersecurity quiz:
1. What type of cybersecurity training do new employees receive?
a.) We have a comprehensive program that covers our policies and procedures regarding cybersecurity that all employees must complete.
b.) We remind employees that they shouldn’t give out their passwords and avoid viruses, but that’s about it.
c.) Everyone knows about security — we don’t need to do training.
2. How often do you update employees about security news?
a.) We communicate regularly to inform employees about new risks.
b.) If something new pops up and we think it’s important, we might send out an email.
3. Do you ever test your security training?
a.) Yes. We’ve had several successful phishing exercises, and we run penetration tests regularly.
b.) We tested the system when it was installed.
c. You can run tests?
4.) What is your BYOD policy?
a.) We have strict parameters regarding employee use of personal devices. Employees must agree to a mobile device management plan, and we reserve the right to lock or wipe devices that we believe have been compromised.
b.) Employees can use approved devices, and we have a list of approved apps and encourage users to install antivirus software.
c.) We don’t have one.
5.) What can employees install on their machines?
a.) Nothing. All applications or software must come through IT.
b.) Some machines have restricted administrator privileges, but most people can install software if they ask.
c.) Whatever they want. Everyone has full admin privileges on their machines.
6.) What is your password policy?
a.) We have strict password rules; in fact, we use a password manager and multi-factor authentication to keep our most sensitive data safe.
b.) We require complex passwords and encourage employees to change them regularly, but it’s not required.
c.) Most people use the same password for years and for every system.
If you answered mostly B’s, you’re doing okay, but you have some work to do. Start by developing clear, firm policies and providing training to employees.
If you answered mostly C’s, you have a good chance of your network being compromised, that is, if your network hasn’t been already. You need to make cybersecurity a priority and get your entire company on board.
While this quiz may feel like a slight oversimplification of very complex security issues, it should serve as a wakeup call to the importance of improving your cybersecurity culture and the safety of your corporate network. With so much at stake, you cannot leave your security to assumptions and guesses. If you’re lacking, start changing your company’s culture today.