Building a culture of information security

It’s very likely that your business has at least some instances of data that is considered sensitive or confidential. What is your data security policy and does your staff understand it? These are the questions you should answer before spending another dime on additional security technology for your business.

That may sound funny coming from someone in sales, but it is something I encounter regularly. We often engage in conversations with businesses that are looking to improve their information security. One of the first things we hear is a list of the security products they have invested in. They tell us about anti-virus, firewalls, and perhaps the new email filter they just added to their security solution stack.

These are all important, but so often the perception is that simply spending more on the latest security solutions will solve any problems you have in network security. Unfortunately, there are undoubtedly still problems that need to be solved.

“Communication works for those who work at it” – John Powell, English Music Composer

If you want your team to act in a certain way or embrace certain values that are important to your business, they must understand that. You probably have a mission statement or core values that clearly express that to your staff. Many businesses have these proudly displayed in their office letting everyone know what is important and why the business exists.

What you don’t see are the many important guidelines, explained in detail, deep in the pages of the employee handbook. This document describes everything an employee should know about how to conduct themselves in your business, from what they should wear to what to do if they are sick. A primary reason that you have this document is to reduce risks for your business by communicating with your staff. However, information security risks have evolved to the point where they require a more prominent position than buried deep in your employee handbook.

Consider how your team would react if you fell victim to a ransomware attack. A cybercriminal has locked down your entire network leaving your staff unable to conduct business, what happens now? Will your anti-virus solve the problem? What about that expensive firewall? Who should you call and who will be able to help? Are the answers in your employee handbook? Not likely.

Implementing a Security Culture

The world has changed drastically since the turn of the century. The new millennium has brought with it new threats to our business and the health and safety of those who keep it running. Recent events have caused us to consider threats like an active shooter or a pandemic. Situations like these motivate us to reconsider our policies and procedures. Information security belongs in that conversation as well.

Cyber attacks are actually much more likely to occur and can be financially devastating to a business. It requires a shift in our company culture to be successful. This means doing the same things that you do to promote your business values and mission.

Start by developing an information security plan for your business. You can find an excellent guide provided by the Federal Financial Institution Examination Council here along with more information about developing a security culture. This guide was developed with financial institutions in mind, but it is a great reference for any business in any industry.

Security Assessment provides structure and goals

A thorough network security assessment is a great place to start to establish a culture of security in your business. Choose one that checks your current information security stance against trusted guidelines. There are several available like GDPR (the European Union’s General Data Protection Regulation), NIST CSF(National Institute of Standards and Technology Cyber Security Framework), or others more specific to your industry.

Assessments against these types of standards will go much deeper than what most network security scans provide. Expect to evaluate not only network security technology, but your current policies and procedures as well. It is within those policies and procedures where you will find areas to begin promoting your new culture of security. This will require a lot of work but stick with it and you will make progress.

Set a schedule for assessments

The best way to recognize progress is by committing to a schedule of assessments. Set goals for improvements in areas of weakness uncovered during your initial assessment. Work towards those goals before conducting another assessment. Commit to a quarterly or at least bi-annual schedule to check for progress against each prior assessment. Stick to this schedule for a few years until you have reached your targeted goals. Once you reach this point you can reduce your assessments to annual checks.

Finally, be sure that a third party provides your assessments. As much as you may trust your team, you can’t have the fox watching the hen house. This practice will provide the truest results and a road map for progress without personalities or opinions getting in the way.

For help with this process, check out our security and compliance offerings or contact us today for a free consultation.

Dave HansenBuilding a culture of information security

Related Posts