Cyber security involves many different technical and informational solutions that must be adopted and implemented to position an organization for the greatest chance of resiliency in a complex threat landscape. Technology is necessary in addressing cyber threats but it cannot work independent of complementary factors such as policy guidelines, information sharing on threats, and user awareness.
Indeed, developing a cyber security culture achieves two important objectives: 1) it intertwines security practices with business operations in order to improve an organization’s security posture, and 2) it demonstrates that security is not a function relegated to an understaffed and underfunded IT department.
Establishing a cyber security culture advocates the need that everyone – including executive leadership and management – has an equal part in cyber security, which is essential for bolstering an organization’s resiliency. For this reason, when “employee” is used in this paper, it refers to all levels of individuals employed by an organization, not just workers.
If individuals are the weakest link of the cyber security chain, then it follows that cyber security must start on the individual level. Employees must be actively involved in an organization’s cyber security apparatus, as they will likely have access to many of the business’s computers, systems, and networks, and often will serve as the first line of defense in their protection. Executives are targets for their potential access to sensitive information; worker bees are similar targets for attackers to gain access into the network and elevate privileges so they can move laterally to find such information. They both represent access roads to the same destination.
For this reason security training is best approached collectively. Many organizations require employees to undergo annual user awareness training. However, such training is often viewed as a compulsory necessity rather than an opportunity to inform and educate. Frequent interactive training will better prepare employees for the current threat trends, highlighting the tactics, techniques, and procedures used by hostile actors to gain unauthorized access into targeted systems.
Furthermore, such training should bring in executives, management, and employees into the same room where they can share their experiences, thereby educating each other collectively on the types of threats they’ve personally experienced. This type of transparent dialogue connects the workforce as a unifying whole and provides insights into where there are strengths and weaknesses in security awareness.
The socialization of cyber threats among all levels of a company’s workforce reinforces the concept that cyber security is a shared endeavor. For example, social engineering and spearphishing e-mails that target one class of worker may not target another; yet it is imperative that everyone be cognizant of what they entail, how suspicious e-mails can be checked, and what should be done if they are received.
Sign up for CIO Asia eNewsletters.