A Culture of Security is Vital
In Aviation, Healthcare, and other sectors, you often hear about building a strong "Culture of Safety." This is one of the highest priorities for organizations which can impact human life. Building a culture of safety is seen as foundational. Without it, human lives will be lost.
​
The same goes for cybersecurity. With the great increase of threats, it is no longer adequate to educate people about the basics. There needs to be a strong culture of security. Everyone needs to feel free to speak up when they see something wrong or make a mistake.
The Challenge
How many times have you heard “people are the weakest link” in a cybersecurity presentation? The numbers seem to bear out the truth of this statement [1] — most cyber-attacks start with a human mistake — but it doesn’t paint the whole picture.
Lior Div, who was a member of Israel’s Unit 8200, stated that they were always able to break into any organization’s systems but the times when they were unable to achieve their objectives was because some person noticed something odd. The person would continue to investigate, pulling on the thread, until they discovered the infiltration and closed it down.
The reality is that people are your greatest allies. Cybersecurity is a team sport – all the way from the intern and new hire, on up to the executives. People in all these groups have a varying degree of knowledge and understanding of cybersecurity. Instead of helping everyone to truly understand cybersecurity risks and the reasons behind the best practices, people are plied with trainings which scratch the surface and are ultimately ineffective.
Build your Security Culture!
Have you ever heard an executive say “you’re paranoid” or “you’re just peddling FUD (Fear, Uncertainty, and Doubt)?” I have. It’s a common misconception that security people are paranoid. Security professionals are partially to blame. We speak about hypothetical attacks and major catastrophes from the news, but we don’t help others to see how it might happen here. It all comes across as alarmist. “The sky is falling.”
Building a security culture does not mean creating paranoia. When you raise security awareness without properly educating people, suddenly every email is being reported as suspicious — even the legitimate ones. Activity slows in an organization where no one trusts anything.
An organization with a strong security culture is one where people are not afraid to speak up when they see something that represents a security risk. Instead of fear, people are looking to continually improve.
Let us consider the various components that go into a culture of security.
​
It Starts at the Top
The tone of an organization is typically set from the top. When the executives prioritize safety and continually reinforce that message, people will follow. Consider how Boeing lost its safety culture and the terrible impact of that [2, 3] — it all started with a focus on speed to market and containing costs rather than safety.
Your executives also have questions – how can they address the new SEC rules? Are we at risk for <name of big attack in the news> that recently happened to our competitor? How do we determine how much to allocate towards security?
​
Be Supportive
Many people are already intimidated by technology, IT, and security. They don’t speak up because they are afraid of being berated and made to feel that they are inadequate, an idiot. This needs to be addressed.
Create a statement about your philosophy on Security. It should include:
-
We recognize that people make mistakes – even tech savvy security pros
-
We will not berate you for making a mistake
-
It’s essential that you always come forward immediately
​
Be Helpful
Provide resources that help your people secure themselves in their private lives. These good habits will be reinforced and will carry over into their work. It will also build your relationship with them. Provide a regular newsletter, and additional classes on these topics.
​
You Need Allies
You can’t be everywhere. How can you ensure that security has a voice at all of the various business meetings? Create a program of “Security Champions.” Identify those individuals who truly appreciate security, or at least have a degree of interest. Provide those people with additional education. Help them to see how security can help them accomplish their mission and reduce pain.
​
Policy and Procedure
Policy expresses the commitment and desire of Executives and Top management. Procedures outline specific steps that need to be followed to achieve the desire results while adhering to regulatory, contractual, and other obligations.
Do your policies clearly outline everyone’s security responsibilities? Do you have procedures that clearly and concisely explain what to do when there is a security consideration?
Engage with a cybersecurity professional to review, discuss, and update your Policies and Procedures. This will be a dialogue with each business unit. Policies and procedures are ineffective if they don’t consider business realities.
​
Make Security a Business Enabler!
There are 5 ways we can enable business:
-
Reputation Protection — Reduce the likelihood and impact of security, privacy, or compliance incidents.
-
Smooth out the Sales Process — Educate your Sales & Marketing team on Messaging around Cybersecurity, Privacy, and Regulatory compliance. Help your organization achieve a SOC 2 or ISO 27001 certification.
-
Contracts — Protect your organization with appropriate security riders. Review and red line contracts with customers and third parties.
-
Reassure Your Customers — Provide regular messaging to your customers:
-
Statements about hacks that affected similar businesses to yours
-
Guidance on how to securely use your products and services
-
Alerts about critical security updates
-
-
Encourage Investment — Assist you to comply with the latest SEC Cybersecurity disclosure rules. Improve your Cybersecurity Governance program. Ensure your 10K statement on Cybersecurity Risk Management and Governance strikes the proper balance
Engage a seasoned cybersecurity professional who understands the business so that they can build out this program and educate key stakeholders.
Next Steps
Engage us for a free consultation so that we can help you build out a stronger security culture. It's free and we will provide you with actionable ideas you can implement right away.
​
​
References
-
https://www.forbes.com/sites/petergeorgescu/2024/04/30/boeings-last-chance-meaningful-purpose-powerful-culture-enlightened-leadership/ - quoted below:
In an opinion piece for The New York Times, Bill Saporito who has covered the airline industry extensively writes that changes in the company’s culture began decades ago. He pointed to a shift that began in the 1990s when Boeing, in an effort to be more competitive, underwent several reorganizations and purchased its domestic competitor McDonald Douglas. That acquisition in 1997 prompted Boeing to move its headquarters twice and change CEOs several times. Saporito writes, “What Boeing missed, as it tried to dump costs and speed production, was the chance to ensure that safety was a cultural core and a competitive advantage.”
3. https://www.axios.com/2024/02/27/boeing-safety-culture-report-faa
Excerpt from Security Awareness Training
Ransomware Presentation for Management
References from Presentation
-
https://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
-
https://www.healthcareitnews.com/news/how-princeton-community-hospital-survived-global-petya-attack
-
https://www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_Surge_in_2023.pdf
-
​https://www.malwarebytes.com/blog/news/2023/03/breast-cancer-photos-published-by-ransomware-gang
-
https://www.theregister.com/2024/01/05/swatting_extorion_tactics/
-
https://www.massgeneral.org/assets/mgh/pdf/emergency-medicine/downtime-toolkit.pdf - "Hospital Preparedness for Unplanned Information Technology Downtime Events" (July 2018 - Mass General Hospital)
-
HSEEP - Homeland Security Exercise and Evaluation Program - https://www.fema.gov/emergency-managers/national-preparedness/exercises/hseep
-
DHS Cyber Tabletop Exercise for the Healthcare Industry (Exercise Materials) - https://www.hsdl.org/c/abstract/?docid=789781
-
FEMA: Safe Exercise Best Practices - https://www.fema.gov/sites/default/files/documents/fema_safe-exercise-best-practice_06072021.pdf​
-
HSEEP Training Videos - https://www.youtube.com/playlist?list=PL720Kw_OojlJRVI3gQiZzj2g72Ez8ISlA
-
CISA Tabletop Exercise Packages - https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
-
Carnegie Mellon: Guide to Effective Incident Management Communications - https://insights.sei.cmu.edu/library/guide-to-effective-incident-management-communications/
-
ASD: Identifying and Mitigating Living Off the Land Techniques - https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques
-
InfraGard - FBI partnership with the private sector - https://www.infragard.org/
-
The Health-ISAC - https://h-isac.org/
-
ASPR TRACIE - https://asprtracie.hhs.gov/
-
HIMSS - https://www.himss.org/
-
Health Sector Coordinating Council Cybersecurity Working Group - Cybersecurity Strategic Plan - https://healthsectorcouncil.org/cyber-strategic-plan/