Who protects your organization’s data and system security? Your CEO? CTO? CISO? HR? All of the above and others?
If you selected the last option, you’d be right. While data and IT systems security are often viewed as the responsibility of the CIO (or some C-level executive), in truth, data security is the domain of everybody in the organization.
Not focusing on the human side of security can put everything at risk. Media reports continually provide stories of how a single employee’s innocent click on a phishing email took down an entire system or exposed thousands of customer records to nefarious hackers.
Protecting against these simple, yet devastating, missteps requires constant and ongoing vigilance and the understanding that you and your employees—from the bottom of the organization to the top—are all in this together.
The importance of human layer defence
Hackers are crafty, but they’re not infallible. Technology-based perimeter defences have gotten so good at keeping attackers at bay that hackers have shifted their approach to focus primarily on the widest attack surface and most vulnerable endpoint: people who log in to network-hooked devices.
Humans are now the primary attack vector. Attackers are doing a simple ROI analysis: why spend days, weeks, or months attempting to defeat technical controls when they can just trick Bob in accounting into giving them what they want?
Taking steps to strengthen your human layer of defence is essential to any organizational security posture. Doing so won’t replace technical controls; it will augment them by adding another layer to your cybersecurity defence arsenal.
Companies must leverage both technology and people for maximum security
We’ll always have to solve (and evolve for) both sides of the technology and people equation when it comes to data and security. Failing to implement standard and reasonable technology-based tools that can improve an organization’s security posture would simply be negligent. Likewise, not acknowledging that even the best technology-based solutions will never be 100 per cent effective at preventing bad players from targeting people with well-crafted phishing emails is also negligent.
Neither of these approaches is mutually exclusive. We know that the strongest security protocols, even those that are well-communicated to employees, are still at risk from those who intentionally or unintentionally find ways to bypass these controls.
Quick tips for bolstering your people-focused security efforts
So, what can you do to ramp up your human layer defence? A number of things. It starts with understanding that security is a journey and a conversation, not a destination and a directive. Set the expectation that security doesn’t just happen—it’s a continual journey where you’re highly likely to encounter detours, distractions, and even danger.
Here are some quick tips for gaining and maintaining internal support for your security awareness initiatives:
- Sell by using stories: always be on the lookout for analogies and anecdotes that help make your points.
- Create alignment: make sure your security program and related messages are aligned with your organization’s values, strategy, mission, and initiatives.
- Build on what’s known: tie your efforts to already known and understood compliance requirements.
- Use the media: use current events and stories in the media to help educate and advocate, but avoid using these stories as scare tactics.
- Mirror best practices: align your program to established industry best practices, like the NIST Cybersecurity Framework or the National Association of Corporate Directors’ guidance on cybersecurity.
Finally, lead with empathy and know your audience. Keep in mind that most of your communication efforts won’t be in the form of large, formal presentations. Instead, the power of these connections will come by running more informal one-on-one discussions with individual stakeholders. That’s how you can make an impact — one person at a time. These individuals will then become your advocates or ambassadors, assisting you in supporting the importance of ongoing efforts to protect data and systems security.
Take steps to make your employees your staunchest allies and best defence against cybercrime.