Why Cybersecurity Is a MUST not a SHOULD

Why Cybersecurity Is a MUST not a SHOULD
Author: Veronica N. Rose, CISA, CDPSE - Board Director at ISACA Foundation and Digital Trust Professional
Date Published: 30 November 2020

There is no doubt that security is now a recognized need within and across organizations. This reflects the acceptance of how an organization’s behavior is dependent on shared beliefs, values, and actions of its employees, which includes their attitudes towards cybersecurity.

Just as most traffic accidents are caused by human error, cybersecurity is no different. I recently wrote an article titled “Why October Shouldn’t Be the Only Cybersecurity Awareness Month,” and in this blog post, I am sharing some of the reasons why cybersecurity responsibility is not a SHOULD but instead a MUST for users, because well-trained employees become robust human firewalls against most cyber-attacks.

In other business units, all things start with governance. For example, in finance, no user can be reimbursed money after taking a trip without a receipt because that’s what the policy states. So, when it comes to cybersecurity, we should stop pleading with users and asking them to please think before acting. Let us clearly set user expectations so they are aware of what they are supposed to do.

Organizations are constantly hit with unknown cybersecurity risks, and there is no doubt that most risks are due to human error. Since cybercriminals are humans, too, and use different forms of social engineering to attack the human firewall, it is more important than ever to shift from “You shouldn’t do this” to “You must do this.”

I saw a tweet on 30 October that quipped “The cybersecurity awareness month has ended, go ahead and use your pet’s name as your password.” All joking aside, users need to own their behavior and be held accountable. Maintaining the security of an organization should be taken seriously; users’ carelessness can cost the organization dearly despite often substantial investments in security programs and training.

With the increasingly prevalent work-from-home model, the organization’s security is at the mercy of the user. If users are not held accountable for their actions, expect budget costs and compliance issues to rise.

In safety science, there is a term called “just culture.” This describes the way an organization deals with errors, mistake and failure to predict a range of organizational attributes, like how well and how fast the organization learns and adapts to change. With “just culture,” an organization blames the user, specifically when the user has been given clear expectations, trained to fulfill the expectations and given the resources to do what they are supposed to do properly. If users don’t follow policies, they have no option but to take accountability of their actions.

So, let us learn from industries like aviation and medicine. Let us not assume that if a user does something wrong, he or she needs more awareness. NO! More frequently, users choose to ignore the process or they may actually be malicious (or perhaps other considerations coming into play, such as having to rush somewhere and leave their machines unattended). Apart from the corporate culture, we need to find out what is stopping everyone from adopting the needed cybersecurity culture.

Look at best practices as a must
Humans are a huge asset to an organization’s cybersecurity if they are provided with the right knowledge to identify cyber threats through an effective and engaging security training program. They can become the strongest line of defense for an organization. So, what do we need to make that happen?

  • Implement an outlined cybersecurity culture management plan or policy. Many organizations lack this first and all-important step toward a cybersecurity culture.
  • Watch out for security awareness fatigue. Most cybersecurity awareness programs primarily broadcast awareness tips and promotion of information to users. However, if such information is tailored to a specific user, it can be more effective.
  • Understand that your remote workers do not have a cybersecurity team at their location to assist them. So, mandating a policy and expecting compliance without the appropriate training and assistance to ensure that their home network is safe would be counterproductive. For security awareness to reverberate, it needs to be role-specific, tailored, fun, and address the challenges that staff face on a day-to-day basis. Providing your employees with easy to consume content that is relevant to their role is a critical step in changing their behavior and culture.
  • Security awareness professionals should join the governance side to be able to decide which technology should be used to assist users in doing the right thing, what processes to follow, etc.
  • We need to understand to what extent our technical controls can help us close the gap that we are relying on for our users.
  • We need to recognize awareness successes by rewarding users. For example, every time users don’t click on malicious links, and users report things proactively and help to stop attacks, they should be rewarded.
  • Ensure all employees understand their roles in their organizations’ cyberculture.

Security awareness doesn’t solve all security problems. Sometimes, cybersecurity leaders need to join the governance side to be able to make concrete decisions regarding the security culture of an organization.

Engaging with employees is an important part of the process. Instead of always telling users what not to do, let’s train then on how to do the right things. People are curious by nature, and hearing the instruction of what not to do can tempt some people to find out why.