How to Develop a Security Culture
Security is a team sport. As Signpost CTO Seth Purcell put it in his recent podcast, “no one component of a system will provide excellence in security.” It takes an entire organization — not just the IT department — committed to security first to build an effective strategy, create a security culture and position itself as a security leader. In this post, we will focus on how companies can build a leading security culture throughout the entire employ journey.
The traditional security approach — where IT attempts to build a wall around the perimeter of a company — just doesn’t work anymore. There are countless examples where the employees of a company (not the wall) were the key lever in a security breach. The recent Tesco bank fraud, Anthem’s massive data breach and the compromise of J.P. Morgan’s system are just a few examples. Although walls were in place, a phishing email or a compromised employee device got through and caused massive damage to the business.
Companies that lead in security foster a security culture throughout the entire organization, from HR to product to marketing and R&D. They build an environment where security is not about rules, but about creating a win-win for the business, its employees and its customers. In doing so, they can create a competitive differentiation around security that’s reflected in increased revenue, customer loyalty and employee engagement.
So how does a company build a security first culture in a way that doesn’t cause friction? How can it create a culture that enables employees to see the value of a secure environment, and not just an extra set of rules to follow? Let’s explore some of the key levers in designing a security first experience across the employee journey.
Building a security culture into your hiring process
Employees’ security journey begins when they’re hired. New employees often adopt a lax security mindset even before their first day on the job. This can be triggered by the attitude that the company projects during recruitment. Activities such as how personal data is requested and handled can have a significant impact on their understanding of the importance of security to the business.
For example, potential hires are often asked to provide their government ID number, contact information for references, date of birth and past compensation levels via email. There are two potential issues here: the first is that the information requested is often unnecessary given the interview stage. The second is that the way it’s being requested isn’t secure.
Despite this, candidates often comply simply to avoid causing delays in the hiring process. And while they may not express concern directly, this lackadaisical attitude from the company can create a negative perception of organizational security. Most candidates would probably prefer not to share more personal information than necessary, but decide to take the risk and hope for the best. Unfortunately, this sets a dangerous precedent, with new employees carrying this mindset forward and applying it to their day-to-day work activities.
It’s easy to start employees off on the right security foot. First, ask for the minimal data given the hiring stage. For instance, don’t request social insurance, social security or other governmental ID information until you’re conducting a background check on the potential hire. There’s a good description of a basic employee application here. Second, capture employee data in a secure way (i.e., not via email!). Use candidate information management portals such as Recruiterbox and Workday’s applicant tracking module to capture and store sensitive information securely. When selecting a portal, consider the following security requirements:
– All connections to the portal must be encrypted and authenticated using HTTPS
– Human resources personnel who have access to candidate information must be required to use multi-factor authentication to log in
– The database of candidate information must be stored either with the hiring company or a security first cloud provider such as Amazon Web Services
– The portal has undergone a security audit by a reputable penetration testing firm; any uncovered vulnerabilities have been mitigated
Asking for the right level of candidate information and selecting a secure collection process are essential to projecting a strong security stance, and will start your new hires on a journey to adopting a security first culture, while reducing legal risk for the business.
Onboarding employees with a security culture mindset
After demonstrating the value of personal data in the hiring process, onboarding presents a chance to show new hires — including part-time and contract workers — your organization-wide commitment to security.
Security policies are often delivered to new hires in the form of a large document or file that lists off the security policies and what’s expected of employees. The result? Only 32 percent of employees feel that they were educated about security policies effectively, while 45 percent say that they are unaware of any such policies. While not being aware of specific policies can be looked on as a minor miss, the end result can have huge implications on individuals and the businesses they work for. A recent data leak from the Red Cross, for example, resulted from a contractor error in data storage practices and led to the release of more than 500,000 blood donor records.
So how do you create an impactful, onboarding program that’s focused on creating a security culture without the bureaucratic, document-heavy overtones? Here are a few ideas:
– Make it contextual. Give new employees the opportunity to hear from your organization’s business leaders. Have your CSO/CTO explain how an attack could impact the business, or how previous threats have been managed. Making threats real allows employees to see how they can be engaged in preventing the next one.
– Make it interactive. Security is usually one of many modules in an onboarding process. By the time the security policy comes out, new employees are ready for a third cup of coffee. Change up the tone when talking about security: use videos, interactive exercises and participation to keep employees engaged. There are some nice examples of how PwC and others are mixing up traditional security education here.
– Make it flexible. No time for in-person training? No problem. There are great options for online security training that allow employees to complete modules on their own time, and that are interactive, engaging and even fun.
An alternative to designing your own program is to outsource security training. eSentire offers a comprehensive, flexible way to train employees via their Training Day program.
However you choose to deliver your training, be sure to include privacy policies (including customer and employee information protection) and to use the proper technology (safe email/internet use, password creation and protection, no sharing credentials, patching, etc.). For technical hires, include secure coding best practices.
Employees’ day-to-day actions are what will shape your security culture, as well as the positive or negative outcomes of that culture. Seemingly harmless things — from clicking on an email link, to delaying updates, to leaving a workstation unlocked — can have far-reaching consequences for the business. On the flip side, an organization that embraces a security first culture will not only prevent risks, but increase the overall value of the business.
There are a few key principles that can keep security at the forefront of your employee’s daily routines. The first thing to get right is organizational structure. Ensure that security is built into your chain of command from the top down. There are a number of companies that have redesigned themselves to infuse security in their organizational chart, including T-Mobile, Intel, and even the US Air Force. Whatever your company’s industry, there are a few design principles that are broadly applicable:
– Ensure there is visible, CEO-level commitment to security. Executive leadership on security is essential for garnering employee buy-in. Have your business leaders communicate regularly the value and importance of a security culture. Additionally, the C-level should be held to the highest standards in the business to set the right example.
– Separate the security team from IT. While there is an IT component to security, and IT may own some operational aspects of security (e.g., maintaining and deploying cybersecurity solutions), there are non-IT functions of security such as office security, privacy, and separation of duties. Given this, there should be separate, non-IT governance of security functions. Additionally, the creation of a dedicated security function both increases the visibility of security in the organization, and the level of rigor that can be delivered from the division.
– Enforce separation of duties. Governance of confidential information such as employee records and financial/accounting systems should never all lie with a single person or team. Employee information theft is one of many outcomes of poor controls. A recent example involved the NBA team the Milwaukee Bucks in June 2016. Ensure that you have established controls to restrict and separate access to confidential business information.
One powerful way to gain employee buy-in into your security culture is to design an incentive system that rewards security first thinking. There are some simple design choices that you can make to start to influence security attitudes across the organization, including:
– Making security awareness a component of employee scorecards and requiring employees to meet a security leader standard to be eligible for promotion. There are some nice examples of how Cisco and Sanofi Genzyme have built security incentive programs here.
– Find ways to call out when employees aren’t representing a security mindset. For example, when an employee leaves his or her computer unlocked, teammates can send an all-staff email saying “Hey team, I’m buying beer for everyone” from that person’s computer.
We talked a bit about onboarding training early on, and it’s important to continue to provide regular security awareness training for all staff on key issues. Just like in onboarding, making training relevant, interactive and flexible is key, as is highlighting security awareness issues including:
– Procedures for authentication, network connections and device access
– Securing physical devices
– Software installation and patching
– Email hygiene, recognizing phishing
– Confidentiality and privacy
An example of a well-designed ongoing security training and incentive program is Adobe’s “Security Ninja” program, where employees participate and are then certified for participating in different levels of security training.
A simple way to build a security culture is in the office design itself, as well as in the level of day-to-day oversight of security concerns. For example, are workstations left open? Can anyone come into the office or is there an enforced sign-in process? Does anyone check if workstations are locked or if software updates are happening? A few key design decisions can help build employee security awareness on a day-to-day basis. For example:
– Ensure a gated entrance and sign-in process that logs who a visitor is seeing as well as when they leave, and requires an escort when inside the office
– Use security “propaganda” like posters, news stories, company intranet posts, updating images and stories regularly
– Design a standard for locking workstations (potentially using an incentive as described above)
– Regularly audit computers to ensure software updates are happening
At the end of the day, if you’ve designed the perfect security culture, but have failed to protect your data, your business will be at risk. There are a host of potential failure points for securing data, many of which are described in Digital Guardian’s recent expert interviews. We would like to stress just two key points that should be consistent and understood across your organization. Always make sure that:
– Access to sensitive data is granted on a need-to-know basis, is tracked and, to the extent possible, is anonymized when viewed.
– Data is encrypted when stored. The 2015 Ashley Madison scandal is a well-known example of password encryption failure that shows the massive damage that can result from ineffective data management practices.
Keeping your business secure during and after employee exits
When employees leave, there’s the opportunity for them to take access keys that can cause substantial damage to the business. In fact, up to 45 percent of employees who leave their job still have access to confidential data. While most former employees will never take action using this access, a few have and will continue to do so after departing a company. There are myriad examples of former employees causing substantial damage to a business, with costs to the business that can extend to the millions. In addition to tracking data access during employment, there are a few additional processes to ensure a smooth and safe exit:
– Ensure the business has an access dashboard for all employees that enables IT/security to remove remote access and disable user accounts. Ottawa-based Bluink is one company providing comprehensive employee account access management.
– Design an exit process that enables HR to immediately notify IT when an employee is exiting the business. The process of disabling user accounts and reclaiming equipment needs to happen in real time.
– Use your ongoing tracking of data access privileges to identify potentially high-risk exits. Engineers and HR professionals are examples of roles that may have access to highly sensitive and valuable data. For these individuals, do an extra level of diligence to assess data risks prior to exit, and to ensure no confidential information has been distributed.
In this article we’ve aimed to outline the levers that can help to instill a strong security culture. However, like many aspects of organizational design, there’s no magic bullet. As a first step in designing your security strategy, take inventory of the maturity of your organization’s security culture. From there, prioritizing the most important risks and opportunities will help to shape the security roadmap. Starting with visible, low-hanging fruit such as C-level communication on security can help to kick-start employee engagement in security issues.
The risks of not focusing on security are well documented. Breaches can cost companies customers, degrade the brand and even harm the business itself. At the other end of the spectrum, creating a strong security culture can actually help a company carve out a differentiated market position. Companies like Trusona, which offers a $1 million insurance policy to customers if their platform is breached, are using their confidence in internal security as calling card for the business. Shopify’s CEO Tobi Lutke also took this stance when he publicly encourage people to “hack Shopify.”
We believe that investing in a security culture will pay off in spades. Employee engagement in security issues will be increasingly important to driving not only risk mitigation, but also market differentiation and revenue opportunities for the business.
Editor’s Notes: Yevgeniy Vahlis co-authored this post. Signpost, eSentire and Shopify are Georgian Partners portfolio companies.