Time has come for organizations to elevate the level of information security education and knowledge within their organizations, and gear up for the growing cybersecurity challenge and threat landscape by establishing and maintaining a strong security program.
An organization’s security culture requires care and feeding. It is not something that grows in a positive way organically. You must invest in a security culture. A sustainable security culture is bigger than just a single event. When a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever.
“Organizations that do not have such a program need to seriously think about beginning a security awareness program to strengthen its defense system and protect their information resources.”
Head – Information Security
Why does an organization need a security culture? The primary answer is something that deep down we all know. In any system, humans are always the weakest link. Security culture is primarily for humans, rather than computers. The computers do exactly what we tell them to do. With use of technology and widespread connectedness to the environment, organizations increasingly have become exposed to numerous and varied threats. Outsourcing and off-shoring bring new partners into an extended enterprise, with different technologies, cultures, and sensitivities to information management. Contracting, telecommuting, and mobile workers all contribute to new security risks.
A survey conducted by Computer Security Institute with the participation Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad clearly stated that “Overall financial losses from 530 survey respondents totaled $201,797,340…”
“Cyber-crimes and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks.”
Now time has come that organizations should elevate the level of information security education and knowledge within their organizations. A growing challenge is establishing and maintaining a strong security program.
Organizations that do not have such a program need to seriously think about beginning a security awareness program to strengthen its defense system and protect their information resources. Technology alone is not a comprehensive solution.
Management awareness, commitment, and support are a few of the more common reasons given for security awareness. Involving top management and getting their support is essential in building a strong security awareness program that employees will take seriously. If management commitment is increased, and the security awareness goals and message are communicated and communicated often, progress and improvement can be made in creating a security culture.
Dealing with globalization
A growing challenge is establishing and maintaining a strong security program that spans the globe. Even in organizations in which the security group has implemented a strong core program, it’s still challenging to get business units worldwide to take ownership of their security risks.
Complying with laws and standards
Many organizations find it challenging to stay in compliance with various government laws and regulations, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA), as well as industry standards, including the Payment Card Industry Data Security Standard (PCI-DSS).
Security Awareness Training
Security awareness training needs a foundation of policies. Although many types of policies are in place, there must be more development of policies for incidents reporting, availability/disaster recovery, and social engineering. These policies are extremely important and should be included within an organization’s information security program. Once they are developed, it is crucial that employees receive training on these topics.
More important part is that the organization has the right people to implement security successfully, meaning individuals who take ownership of security and build good relationships with others in the organization.
Information security team has to conduct information security trainings to all employees and these trainings should be are mandatory for all employees including top management, like:
- Conduct polls or surveys about current security practices with a random prize drawing for all responders
- Publish posters, short videos, and other “quick and easy” multi-media content
- Plan a contest for users and let them design posters or other security-themed content
- Develop an information security intranet site and host all information security policies on it
- Broadcast a monthly information security newsletter covers a basic security practice
By implementing some of these changes, organizations can increase coverage of components found in more formalized security awareness programs, achieve higher levels of security awareness maturity, and benefit from a stronger security culture.
We can protect the company’s and customers’ information assets, business operations and intellectual property, from a wide range of threats organizations can minimize business damage and ensure business continuity in the event of disasters and reduce chances of business interruptions as well as reduce business risks.
All employees have to understand that information security is everyone’s responsibility. Any information security leak could lead to serious reputation loss for organizations. Thus, Security is not a practice, it’s a culture!