Cybersecurity from the Top

May 17, 2018
Creating an effective cybersecurity culture in an organization takes active positioning by its leadership

I was 20 years old, fresh out of college and had my first real job as a security system technician. It was a great opportunity and I was extremely excited to do what it took to succeed. I had a bit of anxiety about one part of the role – climbing heights to install and service security devices. In those days, we were not provided any fall safety equipment. We worked on ladders, used scissor lifts and repaired rooftop cameras without a second thought – just boots and tools. I vividly remember one incident, when a coworker asked me to hold him by his pants belt as he stepped outside the scissor lift at 35-feet above the ground. We were lucky there was never an injury – I wasn’t educated or trained in safety and neither was my employer.

Times have progressed and, now, taking safety seriously is nothing short of standard expectation throughout the integrator – or any contractor – community. Systems Integrators now hold safety classes for employees; the images of electrical accidents, slip and falls, and being ejected from a boom lift are shown repeatedly to raise awareness and eyebrows to real-life situations. Safety has become second nature in a systems integrator’s business, protecting their employees, contractors and customers from injury and accident.

Nowadays, cultivating a culture of safety within the workforce is not an option, but rather a critical aspect of any healthy organization. It is more than a business activity, it is an attitude – one that starts at the top and flows through every aspect of the business. Is cybersecurity following a similar path?

You can’t get away from it. As you watch the news, open a trade magazine or look at your social media posts, cybersecurity seems to be just about everywhere. There isn’t a week that goes by without a new story featuring a breach and loss of customers’ sensitive data.

Breaches are happening to organizations large and small; in fact, the Ponemon Institute recently reported in its 2017 Cost of a Data Breach study that one in four organizations will experience a breach.

It begs the question: Are we at a turning point where cybersecurity is taking the same path as we have seen with worker safety in the past? Well, especially given recent history, it certainly should be!

Cybersecurity is Safety

It can be argued that I am comparing life-and-death situations with protecting networks and data – but with more and more life safety devices and critical systems now communicating on the network, human safety is surely a factor. Critical support systems in hospitals communicate on networks, increasing the risk of a serious incident caused by a ransomware shutdown. An attack on critical infrastructure may result in disruption of the water supply or electrical power, potentially causing dangerous outages. The examples go on and on.

Outside of human safety, a breach of sensitive data can be absolutely devastating to an organization. Its impact often has a chain effect and can further impact the organizations doing business with the company, as well as its employees and other outside vendors. It is especially devastating to a small business, which is often not prepared.

Studies show that the cost of a breach to a small business starts at $84,000. Can your security business afford that? In addition, the negative public relations or damage to brand and credibility alone can be too much for a firm charged with providing protection to others.

The tides are changing, and if as a business leader your approach to addressing cybersecurity is “My IT person deals with that,” it is time to face the reality that now is the time to change your strategy.

Cybersecurity is so much more than simply an “IT thing.” It is about building a culture throughout your entire company – a strategy that requires leadership willing to drive that change. It does not exclude IT, but rather leads, supports and embraces the initiatives required to make it successful. It requires ALL of your departments working together. It is an ongoing company function and an underlying, daily philosophy.

Culture of Safety Meets Cybersecurity Culture

As the business leader, weaving a culture of cybersecurity through all aspects of your business should be your strategic goal. It should become a standard mindset supported by business activities throughout all departments.

In order to achieve that objective, your entire organization must be trained as to how they can make a difference as cyber defenders. A mistake by a single employee – an email sent to the wrong customer, a fraudulent invoice paid, an attacker’s phishing email successfully clicked – and your business can change for the worse.

Cybersecurity should be a key part of the decision-making process in many initiatives you make within your organization. A security-first approach is the right approach. It should be top of mind when considering the devices you sell, who you decide to work with and what products your organization uses. Develop a plan and execute it in your daily operations.

As with any change in an organization, you can expect some challenges. Cultivating a culture of cybersecurity and instituting the necessary improvements is no different than altering any other existing business practice. It requires implementing technical controls, policies and processes that your team members may initially reject if not implemented wisely. A Bring Your Own Devices (BYOD) policy is a good example – how do you manage this with employees who are accustomed to the convenience of conducting company business with their personal devices?

Selling the Change

I recently visited a school and overheard teachers complaining that the IT department had shut down the ability for staff and faculty to visit personal social media sites. They were not speaking kindly about the IT people who had made security improvements, whose decision was based on simply protecting the school and its data. Understandably, when tightening of cybersecurity controls occurs, it is unfamiliar and often misunderstood by many employees. Without proper education they may never understand that social media can be used as an attack method, potentially putting the school network at risk. Education, awareness and culture all need to be built, prioritized and led (by example, from the business leader) to be successful.

Unfortunately, some of the changes that need to occur to an organization’s cybersecurity posture may seem inconvenient, tedious and unnecessary to employees. Without the business leader taking the time to guide the organization through the change you can expect an upset (and often unwilling) group of team members. Being transparent can help everyone understand the reason for the change and the benefits it produces. Consider addressing these questions:

  • Why are these levels and layers of security processes being added?
  • What are some of the current threats the organization faces?
  • How can a breach affect our company, our customers, and our employees?
  • What is the possible impact of a breach to an employee’s career and livelihood?
  • How can everyone play an important part as cyber-defenders?
  • Why is our cybersecurity training program so important?
  • Why is cybersecurity about more than just technology?

Your team plays an integral role in protecting corporate data. In many cases, they have often unlimited access to a great deal of sensitive customer information on a daily basis. This means that they need to understand how to protect it and what it means if it is lost, stolen or damaged.

In your cultural change, be sure to have some fun with it – it doesn’t have to be all doom and gloom; in fact, the more you can lighten up the topic and requirements, the better. I have seen organizations perform phishing tests on their employees and provide free ice cream to the folks who don’t click; or IT departments who give first-in-line passes for technical support to the cyber defenders who complete their training on time.

There will be mistakes as well, which should be expected, then corrected. When your team recognizes that they made an error and may have clicked on a suspicious email, encourage them to report the incident and rather than getting upset, and be thankful they provided you information on a potential risk so you could work on immediate remediation.

Third Party Changes

As a young technician, I remember the first general contractor on a jobsite walking us through one-hour construction site training class before we were allowed on site. It was new in those days, only to become the norm today. It was obvious they took safety on their site seriously and if we were going to work there; we knew as well that a violation of the safety rules would mean being thrown off the jobsite.

In the same way, cybersecurity is shifting as well, so get prepared for it. Your customers, if they haven’t already, are going to being asking you about what cybersecurity programs you, the security integrator, have in place to ensure that they are protected. Why? Well they are giving you digital floor plans of their facilities, IP addresses, allowing you to install IP-enabled devices on their networks, and allowing your technicians access to sensitive data rooms. A breach at your company or caused by your company, with their data and infrastructure, may have a domino effect impacting their business and potentially their customers, shareholders and employees. They have good reason to ask questions.

With the right preparation, culture, and attitude, you should have the right answers.

Expect it to start showing up everywhere. For example, systems integrators across North America are starting to see Request for Proposal (RFP) documents that include cybersecurity requirements that go beyond cyber insurance. This is just the beginning.

All the Angles, All the Time

No matter how you look at it, employee safety and cybersecurity are now just aspects of running (and protecting) your business. You can no longer silo cybersecurity and say someone else has it covered – there is just too much at stake.

If your organization has a cyber incident and your customers are affected, you will not be able to sweep it under the rug. You, as the leader and face of the business, will be the one navigating the storm answering internal and external questions, scrutiny and demands. There may be legal obligations or media coverage to address. If an incident happens, you want to be in the driver’s seat with an incident response plan that clearly details remediation, public relations communication, legal response, access to insurance plans and more.

IT cannot do it alone, nor should it. Support them by showing the rest of the company that you are leading the vision of a better cybersecurity posture. Invite the conversation into the board room, not the server room, and get your entire company behind this important – and arguably inevitable – change.

In the end, make sure you aren’t the one hanging by your belt.

Rob Simopoulos is a Co-Founder of Defendify (www.defendify.io), which makes cybersecurity possible for small business through an all-in-one cybersecurity platform. In more than 20 years in the security industry, Simopoulos has been an entrepreneur, receiving numerous awards and recognition. He can be reached at [email protected], 888-508-9221 x 101.