I recently spent a day at the CIPD, attending the Security Awareness Special Interest Group (SASIG)’s 8th annual HR Workshop. These workshops bring together leaders in the fields of Information Security and HR to share best practice and discuss the key issues facing organisations today.
Information security and organisational culture
This year’s event focused heavily on the role of organisational culture in proving organisations with the best possible cyber and information security.
Here are my take-away points from the day:
1. Policies apply to everyone
It is often the case that directors, owners or C-level employees believe that policies don’t apply to them. If the CEO is in a rush and asks the HR manager for an emailed copy of key data for a meeting they’re late for, how easy is it for the HR manager to refuse and point to the need to follow procedure?
If your staff don’t feel able to do this, you are opening yourself up to a huge risk. Targeted attacks are increasing in complexity and sophistication all the time. Often the CEO holds the key to the kingdom and so they’re the primary target.
In reality, the more authority a person has, the more concerned about procedure and good practice they should be!
Related article: How to develop leadership skills in employees
2. Reward and punishment
Rather than punishing undesirable behaviour, we can be more effective by rewarding desirable behaviour.
For example, if you have a clear desk policy, rather than leaving a “post-it of shame” when someone leaves documents on their desk, leave a chocolate and nice note on the desk of everyone in your team who complies with the policy.
The point here isn’t the chocolate, but rather the social aspect of the reward. The visible praise for positive behaviour is the real value. InfoSecurity magazine have a good article on this topic for further guidance, including why you should avoid financial rewards for positive behaviour.
3. Creating a ‘human firewall’
Through proper awareness and training, alongside a blame-free culture, your staff will become a ‘human firewall’ which is vastly more important, and more effective, than the physical firewalls we rely on.
With the rise of increasingly sophisticated social engineering attacks and Business Email Compromise (BEC), staff need to be properly trained to have any chance of mitigating these threats. Given the fast pace of change, this requires regular and frequent effort.
Related article: Business training needs analysis guide
4. Mitigating risk from employees
A large risk to the security of any organisation is from inside. This may be someone just wishing to be malicious, but often it’s someone who is unhappy with something.
To minimise the risks from employees exfiltrating data from your organisation, you should encourage a least privilege mindset. This principle states that people should have the least level of access they need to effectively perform their role. People who are rushed or poorly trained, along with badly designed systems, can force people to give everyone ‘super admin’ rights rather than taking the time to assess each employee’s requirements.
When someone does wish to do harm, this greatly increases the risk to your organisation’s data.
5. Develop a positive security culture
It’s a fact of life: Mistakes can happen. No amount of training, policies or good practice will completely eradicate them, so we need to learn to deal with mistakes effectively.
To effectively mitigate the risks that arise from errors, we need to learn of mistakes as soon as possible. This is true in all areas, but especially true with information security. Then we need to investigate the cause and be willing to accept that the company may have a significant role to play, for example through lack of training or unrealistic deadlines.
People can worry that accepting mistakes equates to accepting poor performance, but this is not the case. In fact, the National Cyber Security Centre (NCSC) have some great guidance on how to achieve this and differentiate accountability from blame.
In conclusion, organisations that ignore the role of culture in maintaining information security are opening themselves up to greatly increased and avoidable risk. Understanding that information security is everyone’s responsibility and training employees appropriately will reap rewards both in terms of more engaged employees and improved information security.
Written by Kit Barker
Kit is myhrtoolkit's Chief Technical Officer and a company director who leads the technical team in developing the system. On our blog he shares specialist knowledge and tips around data security and company culture.