“So, how do I get my son back?” The famous line from Tom Mullen, Mel Gibson’s character in the 1996 flick Ransom, paints a clear picture of what we are dealing with today regarding cyberwarfare. But instead of our children being abducted, it’s our data that’s being held captive.
Every 40 seconds a business falls victim to a ransomware attack. This billion-dollar industry is exploding, with attacks growing at a yearly rate of 350%. And by 2021, cybercrime will cost the world more than $6 trillion annually, according to Cybersecurity Ventures’ 2016 Cybercrime Report. The epidemic is sweeping across the globe, and just when we think we might be gaining ground on our digital adversaries, a new, more powerful and complex attack is launched.
Headlines highlight a world where network breaches and cyberattacks come by way of clever names and then demand payment through digital currencies like Bitcoin — all of which sounds like something scripted out of a Hollywood blockbuster movie. But the increasing ultimatums attached to each variant are a far cry from their trivial names, and for those who simply refuse to pay, the fallout can be catastrophic.
Fortunately, all ransomware attacks have one thing in common: They thrive on human error. So, with the proper behavioral changes, organizations can greatly minimize their chances of suffering a devastating blow. It all starts with developing a culture of cybersecurity. But what does that look like? And how can businesses make sure their culture stands up to the latest and greatest threats?
Here’s a closer look at what it means to have a culture of cybersecurity in your organization:
A successful cybersecurity culture cannot exist without first identifying your organization’s risk tolerance. This means there needs to be an established agreement assessing what data and systems must be protected, the level of security needed to protect these assets and how to go about securing them. The answers to these questions are vital to any and all information security policy frameworks and will drive the level of security within the organization, from what’s expected of each employee to the overall governance structure.
Human vulnerabilities exist at all levels of an organization, from top to bottom. That means the C-suite also needs to be on board with security protocols with just as much fervor as the executive assistants who mind the phones. Why? Because hackers make a living finding weak links and exploiting them. How do you get there? A consistent buy-in among employees starts with driving home the fact that everyone has a role to play in protecting the company’s assets, and no role is more important than any other. Additionally, employees are more likely to stay committed to the task if the security concepts can be easily implemented into their daily routines, much like brushing their teeth.
While cyberwarfare is a battle being fought in the digital world, a company’s physical environment is just as important in maintaining a certain level of security. The atmosphere not only can reveal a lot about the strength of a company’s cybersecurity culture, but it visually reinforces the policies in place. For instance, when you walk into the Pentagon and look around, you know the place is locked down tightly. It’s obvious the consequences of not following security protocols aren’t lost in the 17.5 miles of corridors and floor area that are all surrounded by steel-reinforced concrete walls. Maintaining a high level of security starts with the walls that encase the organization and moves inward. If your organization is a security mess, then employees won’t need to be shown the policies. They will already know what’s expected of them: not much.
Your employees are your No. 1 defense against a cyberattack. Likewise, they are also your biggest vulnerability, so the need to effectively educate, train and test them cannot be overstated. Too many companies think an annual cyber training class or stocking up on security technology will protect their organizations. This couldn’t be further from the truth.
Effective education changes behavior and true change can’t be accomplished overnight. A regularly scheduled training session should be on the books. While every job title may require specific training, the fundamentals of all training programs should include solid password practices, email and cloud security standards, safe internet browsing, proper social media behavior, and mobile device security measures.
It should also be noted that throwing policies and procedures at employees is not enough. A proper training program teaches the “why.” Why is it important to know what a phishing email looks like? Why is enabling two-factor authentication a necessity? What is the purpose of having secure passwords and a password manager? Driving home the why will help employees understand the big picture and increase the chances of a significant behavioral change.