As students head back to school this month, we’re heading back to the cybersecurity basics and reviewing some best practices for a secure network. Along with developing security safeguards and policies, every cybersecurity strategy should focus on the human aspect: develop your team and company culture. This is an important cybersecurity strategy.
People are a key resource in the protection of a company’s security, both physical and cyber. If human error is a key risk to your cybersecurity (and it is), it is also vital that humans are included as part of the solution in the defensive cybersecurity strategy.
Establish a Culture of Security
Company culture matters, and culture must have support from the top. CISA says this best in their Action Plan for Small Business: “Culture cannot be delegated.” The CEO and senior leaders must be involved and agree with the cybersecurity strategy of the company. The IT professionals cannot create culture on their own.
Employees and clients need to see the company’s values lived out by their leaders and integrated as a normal function of doing business. Leaders need to integrate security into daily life, including discussions of security topics and reviews of security performance goals. Make sure security goals are tangible and realistic, and ensure accountability as well.
A culture of security includes a relational aspect too. In order to stay committed to the company’s values, employees need to feel connected to the company mission. This is the job of leaders – cast the vision, ensure employees understand their role in the mission, and ask all personnel to keep their role in security at the forefront of their work. Security is everyone's job -- it does NOT fall solely on the shoulders of the IT department.
Provide Regular Trainings
When people commit to the company mission and the importance of the company’s cybersecurity strategy, they can be more receptive to training for their specific roles in security. Do not assume that someone who works with computers understands security.
The onboarding process for every employee, regardless of role or responsibility level, should include a review of the company’s security policies, and every employee should attend regular security meetings to maintain current knowledge of risks and solutions. Establish a quarterly training schedule to ensure that everyone is kept informed.
Support IT Leaders
CEOs and Managers can support their IT leaders by creating a security culture, as mentioned above, and by collaborating with leaders to enforce security policies. In some organizations, senior employees are exempt from security rules like MFA – in fact, leaders should be the FIRST to implement new security processes, and they should remind employees to do so as well. It should not fall entirely to the IT team to convince employees to do their jobs.
Designate Clear Security Roles
Both in job descriptions and in network permissions, it’s important to establish clear expectations. Employees should know their own job, their specific role in security, and the responsibility of the network privileges they have been issued.
Choose a Security Program Manager. A specific person should own the process for the above tasks and follow through with creation of policies, training, documentation, and updates to stay current. Security policies will not just happen, and people will need reminders to follow the policies.
Assign proper network roles. Remember to work with the principle of least privilege -- users are granted only the access necessary to do their jobs. This will inform who should be an administrator, who should have access to sensitive data, and who needs only a basic user account.
Keep working on this! A healthy company culture takes time and effort. We know you can do it, for the relational benefits as well as for the increased technical benefits of a company security culture.
For more about the human element of cybersecurity, read our blog here.
Stay tuned for more of the Back to Basics series. Using CISA’s Action Plan for Small Business, we’re offering the latest in cybersecurity best practices.
We at StandardUser Cybersecurity are on a mission to share cybersecurity and cyber safety education with everyone, to make our world a better place. Are you with us? How can we help? Let us know today. Whatever your cybersecurity challenge, we can help you keep your business running. We are a defensive and offensive cybersecurity company, using over 30 years of experience with active commercial and government work and proven security methodologies. We also educate teams and professionals who want to build on their skills. Occasionally we communicate with cybersecurity memes. We set the standard for cybersecurity excellence.