Being #CyberAware: Reinforcing a culture of security in the workplace
As part of Vera’s ongoing blog series highlighting Cybersecurity Awareness Month, we’re shining a light on each major theme set out by the National Cyber Security Alliance for 2018.
Last week, the NCSA highlighted the importance of Educating for a Career in Cybersecurity and how parents, educators, students can work together to prepare individuals for one of the most in-demand and rewarding careers in technology. This week, we shift our focus to the third major theme: It’s Everyone’s Job to Ensure Online Safety at Work.
There are several important aspects of this theme including education and training of security staff, end-user awareness training, as well as operational considerations such as risk management, resistance, and resilience. However, there is even a more fundamental component that gets right to the heart of enterprise security:
Security is something we all have to participate in,
it doesn’t just magically happen to us.
It is an active process that everyone from security analysts to end-users must be involved in. Needless to say, there are many layers of security technology protecting us at all times that most users never see. But if users are not aware, trained, and engaged with security policies, then things can quickly go awry. This is true no matter what job role we have or whether we work in an office, hospital or restaurant.
Today, I’d like to share a few tips on how to ensure online safety in your organization:
Tip #1 – Making security active and accessible
For many users, security can seem like an abstract concept that doesn’t directly involve their job. There are often good reasons for this view. Often security is something that gets in the way of their work or comes in the form of a long list of “NO’s” (don’t click links in emails from unknown senders, don’t reuse passwords, etc). This training is, of course, important, and we will talk about it later. But avoiding bad behavior is not nearly as engaging as actively participating in strong security. And secondly, no one is perfect. Users get busy, distracted, and will eventually make mistakes such as clicking on a risky link. It happens to even the most seasoned security staff.
Vera extends a much more proactive way that all users can engage in security that doesn’t get in the way of their work. Every time a user secures a file, no matter how they choose to share it, they are actively managing the security and privacy of their data. Users automatically use encryption and policy to control who can view or edit a document while being able to monitor and revoke access at any time, all while maintaining a full audit trail to track every path the data takes.
And this is subtly transformative. Instead of always trying not to do the wrong thing, users are actively engaged in doing the right thing. This is not only good security practice, but it also continually reinforces a culture of security that end users participate in.
Tip #2 – Putting a focus on employee awareness training
Another key component of building a culture of security is awareness training. In most cases employees are the front line of enterprise security – malicious hackers target users to get a foothold into an organization, and on the other hand, many breaches result from simple errors where users inadvertently disclose data where they shouldn’t. As a result, it’s critical that users have the practical skills to help keep themselves (and the organization) safe and are aware of how their actions impact the organization.
Furthermore, security awareness training is a key component of regulatory compliance. HIPAA, PCI DSS, ISO 27001, SOC 2, GLBA, and FISMA are just a few standards/regulations that require security awareness training. However, to build a strong security culture, organizations should treat training as more than just a regulatory/compliance checkbox. Employee awareness and training should be performed at regular intervals to reinforce key points, and also during important events such as new employee onboarding or after a security event.
Tip #3 – Participate in regular security education
While employees need to be trained on best practices, IT and security staff must constantly keep pace with changing threats, security technologies and regulations. The constantly evolving nature of technology means that security training is necessarily an ongoing process. For example, as organizations move to the cloud, IT and security staff need to understand the implications and requirements of extending security to the cloud.
Organizations such as the Cloud Security Alliance and WISP, which Vera is a member of, can help organizations develop the skills and process they need to securely adopt cloud technologies. Organizations such as OWASP, ISACA, ISACA/CSX, SANS, ISSA, and ISC2 are also great resources for building and maintaining the skills of staff and teams.
These are just some of the ways that organizations can ensure security is a focus for everyone in the organization. The more that security becomes a part of the fabric of the enterprise, the stronger and safer the organization will be. At Vera, we take this responsibility very seriously and we look forward to helping organizations to take total control of their data.
If you would like to learn more or see a demo, please get in touch with us today. Also, our team is growing fast and we’re hiring across the board. If you’d like to learn more check out our careers page here!