Organizational culture is all about the behaviors and processes that you want employees to follow. As employee behavior - whether intentional or unintentional - is one of the primary sources of security issues, it is important to have security culture deeply embedded in an organization’s culture from the get-go.
While cybersecurity may not seem the most urgent priority for entrepreneurs and their start-up business ventures, increasing the emphasis placed on cybersecurity reaps rewards as the business matures. This is the key message CyberCube made in its contribution to a new World Economic Forum report.
The report Incentivising Responsible and Secure Innovation: A Framework for Investors and Entrepreneurs focuses on incentivising secure and responsible innovation during this period of rapid technological change and high consumer demand for internet-connected products. According to the report, “digital technologies are introducing new vulnerabilities faster than they can be secured and the prospect of curbing cyberattacks diminishes with each additional unsecured technology”.
In today’s world, most start-up organizations depend on technology to survive and prosper. Information and data have become the most valuable asset for early-stage companies, and they understand it is crucial to protecting their own data, their customer data, intellectual property and their brand. A security-aware organization will be able to survive security breaches, learn lessons from their experiences and adapt its operations to patch vulnerabilities.
However, start-ups have many competing priorities, not least, to hire key staff and develop and deliver new products to market as quickly as possible. This rapid workforce expansion and focus on product development can hinder an organization’s ability to nurture and embed a strong security culture - which is so crucial to the long-term sustainability of the company.
At CyberCube, we strongly believe that all interactions with systems and data should be done with a security lens, not just to protect the privacy and data of customers and employees, but also to avoid business interruption.
We have invested in creating a sustainable security culture from Day One, combining security policies - which we can enforce - and the attitudes of each employee towards those policies - which we have to nurture.
Building a security culture is not a one-time effort, it requires constant diligence and cannot be established overnight. Early-stage companies must establish a sustainable security culture, reinforce it through small attainable goals, embed awareness in employees and remember to make it fun and engaging!
Here are some of the best practices we’ve learned:
a) Security belongs to everyone: Security is not a responsibility of the security team. Everyone handles sensitive data and they all have an effect on security. In all-employee meetings, we frequently discuss industry-wide breaches, how they were perpetrated and how they are relevant.
b) Make it fun and engaging: People want to participate in a culture that is enjoyable. At CyberCube, we dedicated last October (Hacktober) as Security Challenge Month. We threw different security challenges at employees (attacks via email, phishing, social engineering etc), gave them a scorecard and rewarded the most vigilant.
c) Focus on awareness: It is important to ensure that everyone in the company is educated in security fundamentals and best practices. All employees are required to take part in a security training program. This is an ongoing activity as security itself is a changing landscape. Key areas to focus on for training and processes include:
· Phishing
· Social media and social engineering
· Bring Your Own Device (BYOD)
· The mobile workstation
· Secure login/Multi-factor authentication
· Safe behavior on the internet
· Principle of least privilege
d) Lead by example and reward good behavior: Leadership teams are extremely visible role models and their behavior is amplified. Creating a cascading security culture that any new employee can experience from their first day will reap long-term rewards.
The World Economic Forum’s report Incentivising Responsible and Secure Innovation: A Framework for Investors and Entrepreneurs is available from the Forum’s website at www.weforum.org.