Adopting a positive security culture and encouraging better employee awareness

Security failures happen. Unfortunately, in today’s always-on, highly digitised world, it is inevitable and a question of not if but when. We only need look at the news during the first few of weeks of 2023 to see several high-profile breaches reported, including T-Mobile and Mailchimp. The companies, its customers and its employees must remain on high alert in the coming months for increased phishing attempts from threat actors using credentials from the attack.

So many of these breaches get blamed on employees being socially engineered, highlighting the importance for employees to be more aware of their role in cybersecurity and for companies to have effective, thoughtful security training and intuitive security systems in place. Users are an organisation’s biggest vulnerability; a well-known attack vector for data exfiltration that unfortunately cannot be completely closed. Today, organisations have a wide variety of users and any one employee, partner or supplier from any level within the company can present a vector through which a hacker can infiltrate the organisation.

Adopting a security culture

Business leaders need to be much more aware of the role they play and how they foster a culture of security, while also driving for more comprehensive security systems to defend the organisation. This strategy should also include a thorough understanding of who has access to what and who is using and interacting with critical systems. In essence, security is everyone’s responsibility and if management at all levels isn’t abiding by and regularly encouraging security awareness across the organisation this should be viewed by the business as a huge performance gap.

At the same time, human error is used all too often as a catch-all reason when a breach occurs, with employees being blamed for not being vigilant enough. This mindset suggests that the business is relying on a system that requires humans to behave perfectly and never make mistakes, like clicking on phishing links or misdirecting an email. The team responsible for designing and implementing systems needs to think about what could possibly go wrong, based on the assumption that mistakes will be made. Using a classic example of a busy or distracted employee clicking on a link which creates a compromise, every company should consider how their systems can detect and prevent this vector of attack but must also put into place measures to stop and contain the attack when it inevitably gets through the defences.

Drinking poisoned coffee

Looking at this in another way, if a customer gets a coffee that is poisoned, is it the customer’s fault if they drink it? No, we’d generally lay the blame on the system that allowed such a thing to happen in the first place. In terms of risk management, it is very unlikely that the customer will be poisoned, but if it were to happen, there would need to be systemic changes that prevent this from happening again, rather than blame on the person for drinking the poisoned coffee.

For security awareness to work it needs to extend across the business while considering how employees do their job, assuming they will get tired, stressed and subsequently make mistakes. The system must account for all these scenarios. The perfect system does not exist, but business leaders need to accommodate behaviour by building in systemic changes, and aiming for defence in depth as threats unfold.

Additionally, the security culture needs to include engaging training, and thoughtfully avoid victim blaming and punishment of those who fall into a criminal’s trap. To some extent security should always contradict useability – it shouldn’t be that easy to access data and it should make folks stop and think. There must be a balance between usability and security – access shouldn’t be so difficult that employees don’t want to work at the organisation, nor so easy that anyone can access the system.

Staying in the safety zone

So, what solutions can organisations put in place to help users stay in the safety zone?

–         Password managers make it easy for users to never have to remember passwords, which will lead to the use of more complex and unique passwords for each site.

  • Two factor authentication also helps to put another layer of control into protecting data.
  • Automating single sign on for onboarding and offboarding employees means they only get access to data they need and when they don’t need access this privilege is promptly revoked.
  • Credential vaults and organisation segmentation enables the organisation to understand access partitioning so only those who need access obtain this and only when they need it.
  • Implementing a ‘trust no-one’ Zero Trust approach ensures only certain individuals have access to parts of the network. Internal firewalls and application firewalls add a high level of granular control.
  • Using machine learning to watch the network and undertake threat modelling provides valuable insights and rapid reactions to threats.

Humans are infinitely hackable, therefore systems must be designed around how they are going to fail.  Organisations need to implement layers of security and think about how they can make it difficult for people to do the wrong thing. Systemic changes need to be implemented to react when situations do happen. Organisations must design systems that are both secure and easy to navigate so that users don’t work around security but embrace it.

Make training engaging and fun

And finally, organisations must make training fun and reinforce the importance of having a positive security culture. This means making sure executives are modelling the proper behaviours and ensuring employees across all levels of the organisation understand this.

When there is a breach, corporate training often gets pushed out as a penalty or organisations use training only to obtain certifications to prove employees have been trained in cybersecurity. As a result, training is boring, no one pays attention to it, and it becomes a tick-box exercise. Incentives should be in place and the training should be engaging and effective so that it results in the right outcome: security awareness to improve security, not just pass an audit. Ideally, organisations should have a positive culture around security, so they don’t have to rely on always poison-checking their coffee.

By Brian Knudtson, Director of Product Market Intelligence, 11:11 Systems