Security Culture
Security Needs To be in Everyone's Job Description - From the Interns to the Board
IT security is no longer an optional extra for business. There are threats from outside attacks, from actors inside the organization and from accidental data loss.
Because the costs of failure are so high, and consumer attitudes have become much less forgiving, strong security should be a key focus for any organization. But especially one that collects and stores personal or sensitive information.
Getting security right is not just about buying the right technology, it’s about creating a company culture that puts security first. Vital to creating this culture is using the right-size security for the threat faced and the right tools for the job. Security systems must help people do their job, not make it more difficult.
People can’t remember dozens of different passwords. If security systems are not easy to use, then people will simply bypass them. They will share passwords or access cards if processes are too difficult and cumbersome. That’s just human nature.
Security must offer the right response to the threat faced and be built with people, and how they work, in mind. One of the benefits of making security people-centric is that staff are more likely to follow guidance and respect the rules.
This is not enough on its own – staff training is also vital. But this needs to be ongoing because the threat landscape is always changing. Along with information and training, it’s also important to create a security conscious (but not paranoid) company culture. This extends to a climate where people are not afraid to own up when they make mistakes. Good security culture should also give people the confidence to raise the alarm if necessary.
If a breach or accidental data loss is identified quickly then the damage done to the organization can be reduced significantly if action is taken immediately.
Good security systems include automation to process everyday tasks. Although security needs to be everyone’s job, most organizations need specialists as well.
Specialized security personnel need time away from fighting fires to keep their skills up to speed and be aware and ready for the next threat on the horizon. One of the risks faced by cybersecurity teams is that systems are built to counter the last threat faced and not the ones coming down the line.
The final part of the jigsaw in organizational security culture is the readiness to plan to fail. This might seem counterintuitive but the reality is that no matter how good systems are it makes sense to assume that a breach or loss will occur. That means practising what will happen in the event of an incident and who will do what when the worst does happen.
Think of it like a fire drill that affects people in the organization beyond the security team. Everyone affected should know what to do and what processes to follow. Practising the correct processes in the event of a breach will also help reinforce security culture across the organization.
Making the right decisions in the ‘golden hour’ immediately after a breach can also dramatically reduce the damage done to the organization.
But the real difference between a company that is ‘good’ or ‘bad’ at security is not how they act when a problem arises, but how they act every day practising good security hygiene with a high awareness of how their actions might keep the organization, its data and its customers safe.
FUJIFILM Business Innovation solutions can help you control access to company data as well as create audit trails to help speed an investigation if a breach or loss does occur.
