Story image

Workplace culture: The first line of infosec defence

07 Jun 18

When I ask people what the greatest threat to the security of the data in their business, I typically get a range of responses that relate to technology. Many people say the cloud, or the Internet of Things. Wi-fi is another ‘threat’ that comes up regularly. On the other hand, some people cite various individuals or groups as the biggest threat – sneaky competitors, teenage hackers and even North Korea are also regularly brought up.

But the correct answer – the most underappreciated threat to any business, large or small is its own people. That’s not to say that a business’s employees are out to get them or maliciously steal from the company, but a workplace culture that is lax with security, that does not encourage staff to be vigilant and does not evangelise for security beyond the security or IT teams is the single biggest threat to a company’s ongoing security.

Unfortunately, culture isn’t the type of thing you can make changes to and expect an immediate impact or response – it takes time. There however are a few steps that any business can take in ensuring that security is taken seriously.

1. Build a community – the definition of a community is a group of people sharing a common interest. Whilst in theory, your business should automatically be a community of workers sharing a common goal, anyone who has had a role across siloed departments knows this is not always the case. The more we can break down barriers within an organisation, the more steeled the company will become when it comes to ensuring a secure environment

2. See something? Say something – employees should be encouraged to report bad security practices under an amnesty policy. For the most part, employees are switched on when it comes to security, they can recognise most phishing attacks and they know the importance of strong password. If we can combat the trend of acceptance of this is simply ‘part of doing business’ we can work to fix

3. Finding the right people – Once upon a time infosec departments were full of engineers, white-hat hackers and the stereotypical geeks. But we’re seeing this start to morph as organisations wise up to the fact that often their security problem is not a technical problem – it’s a communication problem. Journalists, public relations practitioners, marketers and human resources experts are now just as common within the security department as the traditional infosec individual

4. The hiring process – new employees are like a sponge for workplace culture. Those first weeks, days and even hours are crucial for instilling the types of behaviours that will become habit throughout their tenure at an organisation. Because of this, security professionals need a seat at the table when it comes to the induction of employees. IT policy needs to be more than just a tick box exercise on an induction checklist.

Whilst staying one step ahead of malicious technology will always be imperative in ensuring your valuable data remains safe and secure, it’s no match for an internal culture that rewards vigilance and community.

Consider the old analogy “give a man a fish and feed him for a day, teach a man to fish and feed him for a lifetime”. It holds true here. Providing employees with the technological tools to protect your data is important but will only take you so far. In order to truly secure your data, its culture which becomes your first, and most important line of defence.

Article by Bitdefender senior e-threat analyst Bogdan Botezatu.

Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.
Is mobile shopping compromising your enterprise security?
When employees do their holiday shopping on company resources, security teams have a challenge with the surge in browsing and online transactions.
Different approach to malware detection needed – VMware
Security needs to move away from the traditional approach of chasing after arbitrary forms of malware.
Modernising ERP systems can help organisations comply with GDPR
“Organisations need to look for modern ERP systems that are specifically designed with GDPR in mind."
Cyber attacks develop complexity, target Windows sysad tools - report
The report explores changes in the threat landscape over the past year, uncovering trends and how they are expected to impact cybersecurity in 2019.
DanaBot banking Trojan: How to protect your organisation
DanaBot is a Trojan written in the Delphi programming language that includes banking site web injections and stealer functions.
Ping Identity announces new Identity-as-a-Service solution
PingOne for Customers is built for the developer community and provides API-based identity services for customer-facing applications.