Building and maintaining an IT security culture when everyone’s working remotely
Imagine, for a moment, an employee in a corporate setting – let’s call this person Kelly – facing an all-too-common scenario: She needs to send an urgent and important email to a group of external stakeholders, with internal documents included as attachments.
Simple enough, right?
All Kelly needs to do is write the email, add the attachments and – if given the luxury of a spare few minutes – review for any spelling or grammatical errors before sending.
But this seemingly simple process is actually fraught with risk from a data security and protection perspective.
Did Kelly review the email content to ensure no sensitive corporate or personal information was disclosed?
Did Kelly think about the attachments in the same way? Did Kelly also consider the recipients, and whether they’re authorized to receive the information in the first place?
If Kelly is like most employees, then the unfortunate answer is likely not.
But it’s not Kelly’s fault.
Kelly’s organization hadn’t invested the time, effort and cost required to create and successfully implement an effective IT security and data protection culture across the organization, which is partly why, in Kelly’s mind, data protection and security is solely the job of IT security.
And while that thought couldn’t be more wrong, without a strong security culture at the organization – especially with virtually everyone working from home right now – it’s a thought not likely to be corrected anytime soon.
Why a culture of security and data protection matters
According to global IT association ISACA, a corporate culture of security requires “a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things.”
It’s a bit similar to the twin push on behalf of many companies to build a data-driven culture – only instead of ensuring access to clean data, data literacy and a single source of truth, companies building a security culture must focus more on evolving the attitudes of employees to a security-first mindset.
That’s mostly because humans are usually the weakest link in any security chain, says Security Journey CEO Chris Romeo in TechBeacon. “An organization’s security culture requires care and feeding.
It is not something that grows in a positive way organically,” he says. While computers and applications pretty much always do what they’re told, security-wise, human employees often take the path of least resistance if left to their own devices – which is why an ongoing, persistent and sustained program is essential.
Romeo adds that a sustainable security culture has a four defining features:
- It’s disruptive, fosters change and improves security within the organization.
- It’s engaging, fun, and something in which employees want to be involved.
- It’s rewarding for employees being asked to invest time and energy.
- It provides a return on investment.
But implementing this kind of culture in the corporate world isn’t easy, especially at organizations with loose and longstanding data protection processes. Old habits, after all, die hard.
Corporate culture is ultimately created and implemented from the top down, but requires buy-in from everyone in the organization – something that’s not necessarily intuitive among those who may not see it as part of their job description.
And the numbers bear this out: According to an ISACA and the CMMI Institute survey, only 34 percent of organizations indicated that their staff fully comprehend their important role in the organization’s overall security posture.
Indeed, according to many security experts, the biggest barrier to a robust security and data protection culture is a familiar culprit – human nature.
This goes for everyone in an organization: Too often, leaders see investments in a security culture as distracting and not conducive to the bottom line (even though the cost of a data breach is likely to be far more serious, in terms of both reputation and dollars).
At the same time, front-line employees and middle managers are often lulled into complacency during the day-to-day grind.
And, unfortunately, in our current (and possibly longstanding) period of mass work-from-home initiatives due to Covid-19 – which presents an even more dangerous array of security threats and holes thanks to unsecured personal devices, residential WiFi networks, legacy VPN and other issues – maintaining a security culture gets even more challenging.
How to build (and maintain) a culture of security and data protection
Security experts, however, say lackadaisical attitudes toward security culture are changing with necessity. “Security is everyone’s job today. If we really want to protect our customers and our business, we all have to take responsibility for security,” says AWS CTO Werner Vogels in Security Now.
But what are the best ways of doing it?
At the physical office, posters in the hallways and other initiatives to raise awareness can work, but are easily ignored if not engaging enough – never mind that these mechanisms have become pretty much irrelevant with most people not in the office in the first place.
We mentioned previously how many companies have become data driven, and some of the processes that go into encouraging and fostering an IT security culture aren’t a lot different.
In both cases, the initiative must have strong champions within the C-suite and company executives in order to drive required and lasting change – anything else can either quickly evaporate or devolve into a meaningless box-ticking exercise.
Mike Saurbaugh, a faculty member at the Institute for Applied Network Security (IANS), offers these tips:
- Motivate from a personal perspective: Raise security awareness among employees in a broader context, such as reminding them that protecting company security will also help protect their personal finances, families, and overall well-being.
- Gamify your program: You can drive employee engagement by making security and data protection fun and rewarding, while at the same time fostering friendly competition among employees and departments.
- Recognize success within the company: This helps employees and groups feel more valued and keeps everyone motivated, while providing concrete evidence to the whole company that the program is working.
- Keep it simple and measured: Just like building a data-driven culture, focusing on smaller, incremental and more realistic goals is a better plan of attack than trying to do too much, too soon (which can bring on the dual negatives of annoying staff and ultimately failing to meet objectives, further raising the ire of doubters).
Chief information security officers (CISOs) can also play a leading role in building a budding security culture.
Although they have sometimes struggled to gain respect from many of their C-suite peers, thanks to growing security threats, CISOs are now coming up in the world in a big way – a major positive when it comes to promoting a broad-based security culture.
Data security automation software helps maintain a bulletproof security culture (even remotely)
In 2020, of course, the discussion around corporate security culture must always circle back to the remote and distributed teams question: How do you continue to remind employees of the importance of security and data protection, when these employees are no longer at the physical office?
Reminders through email and the company intranet, for example, can help but are easily ignored (especially from home).
That’s why in this new work-from-home era, data classification and identification software can help maintain a hard-fought data protection culture through automated processes and reminders.
Such data security automation software helps keep everyone honest and on the same page through automated sensitive and PII data identification and classification, built-in controls, and even employee reminders embedded into even the most basic but crucial company workflows – like sending an email to external stakeholders.
Data discovery and classification for sensitive data through software allows an organization to automatically identify where all its sensitive data lives, classify that data based on predetermined levels of sensitivity, and then apply appropriate rich metadata to each document (including emails and Office documents) to inform your downstream security ecosystem, including data loss prevention (DLP) and cloud access security broker (CASB) software.
And while all this goes on in the background, data security automation software also helps maintain security awareness among staff every time sensitive company data is created, shared, or otherwise handled through automated triggers and reminders based on the content or stakeholders involved.
Indeed, just like (or maybe even better than) those posters and other reminders around your physical office, data classification and identification software is always there to remind employees of the right course of action at the right time.
That means companies can extend their data protection and security program to remote workers easier than ever before.
It also means the next time Kelly sends an email containing sensitive data to external stakeholders, the correct course of action won’t just be obvious – it’ll be embedded right into the employee’s workflow.