How to Create A Cyber Security Culture + Employee Security Awareness
Did you hear the story of the Central Bank of Bangladesh that lost $81 million to hackers? It happened in February 2016 and goes like this. The bank believes hackers executed a hack that allowed $81 million to be taken from the bank’s foreign exchange account at the Federal Reserve Bank of New York. It appears that the initial point of entry for the hackers was a spear-phishing email, potentially sent weeks before the fraud took place, which allowed the criminals time to remotely monitor and probe the bank’s networks without detection.
This is just the latest advanced threat facing financial organizations. Beyond cyber technology (which is essential), organizations need an internal culture of security, an ongoing, organization-wide commitment to defining and adhering to careful, thoughtful policies that reduce or eliminate “people vulnerabilities” through assessments, awareness, and education.
We recently published a Four Step Guide to Creating a Culture of Security. Here are some highlights – you can read the full paper HERE.
1. Create a Computer Incident Response Team
Your first step is to find the right people who can oversee your information-security policies and be part of a “Computer Incident Response Team.” Although IT professionals are responsible for overseeing and maintaining your computing infrastructure, you also need business users to play a central role in your security initiatives.
After all, they’re the ones who use these resources – and the ones who can represent the biggest vulnerabilities and risks. While the team’s responsibilities can vary, many CIRTs are active in several key areas:
Create a Plan
Create Training Programs
Respond to Incidents
Communicate with Peers/Industry Groups
2. Define Your Terms
Before you can secure your confidential information, it’s important to define exactly what you mean – and ensure everyone in your organization is literally and figuratively on the same page.
Many firms create a 10-20-page written information security plan that formalizes the definitions and policies that govern the creation, access, and deletion of confidential information and computing services. That can be everything from a definition of personally identifiable information (PII), a description of user access privileges and roles, or policies regarding USB thumb-drives. What matters is that you’ve explicitly and unambiguously documented all aspects of your company’s at-risk assets and services.
3. Deliver Comprehensive Training
“Operationalizing the culture” – it’s a mouthful to say, but it’s still important to recognize. All of the documents, committees, and meetings won’t have any meaningful impact if the proper security practices don’t spread quickly and uniformly across the organization. And the way that starts to happen is through systemic and comprehensive training practices.
Vendors can help you develop the right curriculum – tailored to your business’s unique needs, preferences, and policies.
4. Remember the Internal Culture Reaches Out Externally
Even when you have locked down your internal systems, implemented best-practices policies and procedures, and trained your employees to think “security first,” there’s still more work to do, culture-wise.
Assess Third-Party Risks – Perhaps the weakest link in the security chain is one you have little (or no) control over: the performance of your partners.
Regulatory Risks – Following the right security practices will enable you to achieve clean audits from industry and government regulators.
Personal Email – Even if your employee is following all of your processes and practices with work-related email, you could still be vulnerable if her private, personal email is breached or corrupted. That can unintentionally open a back door to your network environment. And that means security vigilance must extend from professional to personal domains.
By developing an internal culture of security, the organization does far more than deploy and configure bits and bytes. It commits to defining and following thoughtful, far-ranging policies to eliminate the needless internal vulnerabilities that often go unrecognized.
Let Eze Castle Integration's team create your Cybersecurity Program - Learn more.
You Might Also Like
What is Active Threat Protection? Stopping Advanced Persistent Threats
Understanding Social Engineering: How to Avoid Phishing Attack
WISP Basics for Hedge Funds: The Four Key Elements of a Written Information Security Plan