People, processes, and technology are often seen as the three pillars of Information Security. Although a proper balance between the three is seen as essential, the aspects of internal culture and employee training as they relate to the “people” pillar are often overlooked. As an Information Security program is only as strong as its weakest link, a lack of focus on the people within an organization can lead to reduced effectiveness of any spend on processes and technology.
In order to bolster the “people” pillar, organizations should seek to establish an internal culture where employees understand the importance of cybersecurity and uphold defined policies, procedures, and controls. Modifying the existing corporate culture to incorporate this aspect of security awareness will require buy-in and support from all the leaders within the organization, who should be responsible for the following:
- Supporting the initiative – The most important thing that leaders within an organization can do to promote a security-awareness culture is to maintain a positive attitude towards Information Security. Showcasing their support for the security measures desired by the organization will help convey the importance of these goals to the employees around them. Negative signaling from any leaders within the organization may encourage resistance among the employees. Additionally, leaders should be on the lookout for any employees who are not adopting the required attitude towards Information Security and should attempt to address the situation in a positive, proactive manner.
- Leading by example – Regardless of what they tell employees, leaders who openly deviate from policies, procedures, or controls are showing the employees around them that this is acceptable behavior. This can range from using a simple “shortcut” in a procedure to using a personal computer that has not been approved by IT. Employees who see leaders not complying with these measures may start to question why they have to do them or may follow suit without asking for approval.
- Understanding Information Security – While leaders within an organization may not be Information Security experts, they should be provided with additional training. Having this knowledge will allow the leaders to better explain Information Security to the employees around them as needed, as well as reduce the likelihood of the individuals being involved in any incidents or events which may reduce their credibility within the organization.
- Being involved – Leaders within the organization should be made aware of or involved in creating items such as the Incident Response Plan, Business Continuity Plan, Disaster Recovery Plan, and other key procedures. While they may not need access to all the details, being aware of such information may allow leaders to better contribute to the organization.
Why is culture important?
As an often-overlooked portion of “people, processes, and technology”, internal culture and security awareness are often the only things that come between your organization and a successful Social Engineering attack. A security-awareness culture will encourage employees to question suspicious activity, be more resilient to Social Engineering attacks, and be more adherent to defined policies, procedures, and controls.
A manufacturing firm suffered from a business email compromise in mid-2021. Business Email Compromise (BEC) is an exploit in which an attacker obtains access to a business email account and imitates the owner’s identity in order to defraud the company and its employees, customers, or partners. In this case, the scammer posed as the CFO after following and waiting for a Friday evening to send an email to an Accounts Payable employee asking him to send out a payment to a “new” vendor for $450,000. The email had a sense of urgency attached to it as well as clear instructions that required the employee to pay the vendor that very evening.
The employees in this company never questioned anything that came their way and were doers. The scammer took advantage of the fact that there was also this culture within the firm of not questioning anything that came in from a position of power, vis-à-vis the CFO. This is a classic case where the scammer took complete advantage of a poor security culture. A strong security culture could have helped avoid situations like these and other scams by creating a heightened sense of security within the organization to verify before trusting such emails or other communication.
Having a strong control environment also ensures that all payments go through a certain level of approval based on dollar amounts besides ensuring segregation of duties controls. Create a culture of collaboration and reward employees for bringing up security concerns timely. This not only allows everyone to feel accountable but also creates an opportunity for the employees to act as guardians for the organization. If the tone at the top was security-oriented and employees could reach out to their leadership without any fear of repercussion, the CFO could have been called to verify the contents of the email.
Who is a leader?
For the purposes of creating a security-awareness culture within an organization, a lot of individuals can be considered leaders. Ranging from the Executive Management team to managers overseeing the corporate office, changes in culture must start from the top down but be enforced at every level of authority. Any deviations from the goal security-awareness culture may have rippled through the organization, with higher-ranking leaders causing larger setbacks with noncompliance and leaving the organization more exposed to Social Engineering attacks.
As part of a consulting firm, we encounter many situations that could merely be avoided if the whole organization took security seriously, including the upper management. We ran into a peculiar case at a large healthcare organization where a VP sent out an email that mentioned that all employees would need to do the security awareness training and that anyone who does not attend it will be fired. Unbeknownst to the VP, there was also a phishing campaign that was being run for everyone in the organization. The results were that a large percentage of the employees did not click on the email that we had sent out because they had gone through the security awareness training, which educated them on what to look for as part of phishing emails. The interesting point that stood out for us was that the VP who had sent out the email had not only not taken the training but also clicked on the phishing simulation email.
We see several situations where the C-Suite does not want to comply with the IT Security policies that the rest of the organization complies with. This not only creates the culture of “Why should I do it when the leadership does not believe in this?” but also ensures that the upper management, who are typically carrying a lot of sensitive information with them, are at higher risk of being compromised. It is imperative that the leaders lead by example and not help set a bad tone at the top.
Planning matters
At the end of the day, any organization looking to add security awareness to their own internal culture should do so only after extensive planning. While the responsibility for Information Security may fall on a certain group of people, this group should attain buy-in and seek input from leaders throughout the organization and work closely with them for the implementation of any planned changes. Doing so may reduce the burden on the responsible group, improve employee attitude towards changes, and ensure a more seamless experience overall.
Depending on the size or scope of the project, it’s not uncommon for organizations to partner up with specialized consulting firms or establish internal committees with representation from multiple business groups.
- Leveraging professionals who have a long history of building and improving Information Security environments from the top down can prove to be an invaluable resource. A consulting firm may reduce the likelihood of costly errors occurring, help manage the project and keep it on track, contribute years of relevant experience, facilitate internal communications, provide input on other relevant topics such as business process improvement or risk management, or anything else agreed upon in the project scope. This will provide an organization with a scalable amount of human capital at agreedupon costs, as opposed to either hiring a set number of employees or being time-constrained based on the current amount of available employees – assuming they don’t get assigned additional projects/ responsibilities in the same time frame.
- Internal committees are a great way to facilitate regular communication in larger organizations and will allow the responsible group to attain buy-in and receive input from multiple leaders at once. This will ensure that leaders are on the same page during the planning phase and that the organization can be better coordinated during the implementation phase – resulting in the smoother deployment of planned changes.
Countless factors that go into successfully changing your organization’s culture, but the importance of attaining buy-in or even help from internal leaders, should not be underestimated.