top of page
Aircraft Hangar

A Culture of Security is Vital

In Aviation, Healthcare, and other sectors, you often hear about building a strong "Culture of Safety." This is one of the highest priorities for organizations which can impact human life. Building a culture of safety is seen as foundational. Without it, human lives will be lost.

​

The same goes for cybersecurity. With the great increase of threats, it is no longer adequate to educate people about the basics. There needs to be a strong culture of security. Everyone needs to feel free to speak up when they see something wrong or make a mistake.

The Challenge

How many times have you heard “people are the weakest link” in a cybersecurity presentation? The numbers seem to bear out the truth of this statement [1] — most cyber-attacks start with a human mistake — but it doesn’t paint the whole picture.

 

Lior Div, who was a member of Israel’s Unit 8200, stated that they were always able to break into any organization’s systems but the times when they were unable to achieve their objectives was because some person noticed something odd. The person would continue to investigate, pulling on the thread, until they discovered the infiltration and closed it down.

 

The reality is that people are your greatest allies. Cybersecurity is a team sport – all the way from the intern and new hire, on up to the executives. People in all these groups have a varying degree of knowledge and understanding of cybersecurity. Instead of helping everyone to truly understand cybersecurity risks and the reasons behind the best practices, people are plied with trainings which scratch the surface and are ultimately ineffective.

Build your Security Culture!

Have you ever heard an executive say “you’re paranoid” or “you’re just peddling FUD (Fear, Uncertainty, and Doubt)?” I have. It’s a common misconception that security people are paranoid. Security professionals are partially to blame. We speak about hypothetical attacks and major catastrophes from the news, but we don’t help others to see how it might happen here. It all comes across as alarmist. “The sky is falling.”

 

Building a security culture does not mean creating paranoia. When you raise security awareness without properly educating people, suddenly every email is being reported as suspicious — even the legitimate ones. Activity slows in an organization where no one trusts anything.

 

 An organization with a strong security culture is one where people are not afraid to speak up when they see something that represents a security risk. Instead of fear, people are looking to continually improve.

 

Let us consider the various components that go into a culture of security.

​

It Starts at the Top

The tone of an organization is typically set from the top. When the executives prioritize safety and continually reinforce that message, people will follow. Consider how Boeing lost its safety culture and the terrible impact of that [2, 3] — it all started with a focus on speed to market and containing costs rather than safety.

 

Your executives also have questions – how can they address the new SEC rules? Are we at risk for <name of big attack in the news> that recently happened to our competitor? How do we determine how much to allocate towards security?

​

Be Supportive

Many people are already intimidated by technology, IT, and security. They don’t speak up because they are afraid of being berated and made to feel that they are inadequate, an idiot. This needs to be addressed.

 

Create a statement about your philosophy on Security. It should include:

  1. We recognize that people make mistakes – even tech savvy security pros

  2. We will not berate you for making a mistake

  3. It’s essential that you always come forward immediately

​

Be Helpful

Provide resources that help your people secure themselves in their private lives. These good habits will be reinforced and will carry over into their work. It will also build your relationship with them. Provide a regular newsletter, and additional classes on these topics.

​

You Need Allies

You can’t be everywhere. How can you ensure that security has a voice at all of the various business meetings? Create a program of “Security Champions.” Identify those individuals who truly appreciate security, or at least have a degree of interest. Provide those people with additional education. Help them to see how security can help them accomplish their mission and reduce pain.

​

Policy and Procedure

Policy expresses the commitment and desire of Executives and Top management. Procedures outline specific steps that need to be followed to achieve the desire results while adhering to regulatory, contractual, and other obligations.

 

Do your policies clearly outline everyone’s security responsibilities? Do you have procedures that clearly and concisely explain what to do when there is a security consideration?

 

Engage with a cybersecurity professional to review, discuss, and update your Policies and Procedures. This will be a dialogue with each business unit. Policies and procedures are ineffective if they don’t consider business realities.

​

Make Security a Business Enabler!

There are 5 ways we can enable business:

  1. Reputation Protection — Reduce the likelihood and impact of security, privacy, or compliance incidents.

  2. Smooth out the Sales Process — Educate your Sales & Marketing team on Messaging around Cybersecurity, Privacy, and Regulatory compliance. Help your organization achieve a SOC 2 or ISO 27001 certification.

  3. Contracts — Protect your organization with appropriate security riders. Review and red line contracts with customers and third parties.

  4. Reassure Your Customers — Provide regular messaging to your customers:

    • Statements about hacks that affected similar businesses to yours

    • Guidance on how to securely use your products and services

    • Alerts about critical security updates

  5. Encourage Investment — Assist you to comply with the latest SEC Cybersecurity disclosure rules. Improve your Cybersecurity Governance program. Ensure your 10K statement on Cybersecurity Risk Management and Governance strikes the proper balance

 

Engage a seasoned cybersecurity professional who understands the business so that they can build out this program and educate key stakeholders.

Next Steps

Engage us for a free consultation so that we can help you build out a stronger security culture. It's free and we will provide you with actionable ideas you can implement right away.

​

​

References

  1. https://firewalltimes.com/social-engineering-statistics/

  2. https://www.forbes.com/sites/petergeorgescu/2024/04/30/boeings-last-chance-meaningful-purpose-powerful-culture-enlightened-leadership/ - quoted below:

In an opinion piece for The New York Times, Bill Saporito who has covered the airline industry extensively writes that changes in the company’s culture began decades ago. He pointed to a shift that began in the 1990s when Boeing, in an effort to be more competitive, underwent several reorganizations and purchased its domestic competitor McDonald Douglas. That acquisition in 1997 prompted Boeing to move its headquarters twice and change CEOs several times. Saporito writes, “What Boeing missed, as it tried to dump costs and speed production, was the chance to ensure that safety was a cultural core and a competitive advantage.”

3. https://www.axios.com/2024/02/27/boeing-safety-culture-report-faa

Hallway Waiting Area

Excerpt from Security Awareness Training

Business Meeting

Ransomware Presentation for Management

References from Presentation

  1. Ransomware eBook

  2. https://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

  3. https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

  4. https://www.healthcareitnews.com/news/how-princeton-community-hospital-survived-global-petya-attack

  5. https://www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_Surge_in_2023.pdf

  6. https://www.bbc.com/news/technology-54692120 - "Therapy patients blackmailed for cash after clinic data breach"

  7. ​https://www.malwarebytes.com/blog/news/2023/03/breast-cancer-photos-published-by-ransomware-gang

  8. https://www.theregister.com/2024/01/05/swatting_extorion_tactics/

  9. https://www.massgeneral.org/assets/mgh/pdf/emergency-medicine/downtime-toolkit.pdf - "Hospital Preparedness for Unplanned Information Technology Downtime Events" (July 2018 - Mass General Hospital)

  10. HSEEP - Homeland Security Exercise and Evaluation Program - https://www.fema.gov/emergency-managers/national-preparedness/exercises/hseep

  11. DHS Cyber Tabletop Exercise for the Healthcare Industry (Exercise Materials) - https://www.hsdl.org/c/abstract/?docid=789781

  12. FEMA: Safe Exercise Best Practices - https://www.fema.gov/sites/default/files/documents/fema_safe-exercise-best-practice_06072021.pdf​

  13. HSEEP Training Videos - https://www.youtube.com/playlist?list=PL720Kw_OojlJRVI3gQiZzj2g72Ez8ISlA

  14. CISA Tabletop Exercise Packages - https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages

  15. Carnegie Mellon: Guide to Effective Incident Management Communications - https://insights.sei.cmu.edu/library/guide-to-effective-incident-management-communications/

  16. ASD: Identifying and Mitigating Living Off the Land Techniques - https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques

  17. InfraGard - FBI partnership with the private sector - https://www.infragard.org/

  18. The Health-ISAC - https://h-isac.org/

  19. ASPR TRACIE - https://asprtracie.hhs.gov/ 

  20. HIMSS - https://www.himss.org/ 

  21. Health Sector Coordinating Council Cybersecurity Working Group - Cybersecurity Strategic Plan - https://healthsectorcouncil.org/cyber-strategic-plan/

Contact me for a free consultation today!

Justin Armstrong - Head Shot.jpg
bottom of page