If you’re reading this, and you don’t live under a rock, you know organizational security is important. But, these days, the term ‘organizational security’ means so much more than it has in the past. It’s not quite as simple as installing a highly-rated anti-virus solution on employees' computers and calling it a day.
One can hire the best IT security people, purchase the most secure software, and procure the services with the safest and most private practices, and it’s still not enough. As we’ve learned, even high-profile organizations with every resource at their disposal aren’t immune to missteps.
What that organization, and many organizations just like it, lack is a true culture of security.
A what?
A culture of security is the collective habits of employees who engage in security defences, and actively help protect an organization. When everyone on your team, from entry-level folks to your CFO, has an interest in the safety of operational data, you’ve created a security culture. As I said before, though, it’s about so much more than computers and software.
When most people think of security, they think of devices. We must lock down the devices! But security culture focuses on human behavior because it’s just as important.
Human error remains a leading cause of data breaches around the world. In other words, the companies affected can have their hardware security in place, but it’s the human element that causes trouble in the end.
So, how do we avoid the missteps?
Most people want to do the right thing. In a security culture, you teach people the right thing so when they’re faced with decisions, their default choice is the correct one.
Create a culture
There are many things you can do to create a culture of security. Let’s discuss just a few.
When you build something, the first step typically involves preparation, or putting things down on paper. A culture of security is no different. To start, draft company policies. Get all team leaders - including those of the privacy, security, and HR teams - involved and give people the guidance they need. And make the policies reasonable. Guidelines that make your employees' job harder won’t be effective, no matter how secure they may seem.
For example, let’s examine a standard corporate password policy (this is real, by the way). Each 14-character-minimum password needs to be complex - a feat that’s difficult enough for humans to achieve alone - and it can’t be used more than once.
Now, when you consider that the average US email address is associated with about 130 online accounts, that’s 130 complex, unique passwords. Oh, and you need to change them every 90 days or so. How can anyone comply with that? They record their passwords on paper, which is also against policy (I hope).
Password policies are just one example, but it brings me nicely to the next point: Give people what they need to succeed.
Productivity software and services that support more secure practices make security-related decisions easier (or unnecessary). 1Password, as a random example, is a secure password manager that would make password worries a thing of the past.
Your team also needs training. Education instills confidence and changes habits for the better. Be open to conversations about how people want to learn. Empowered employees are much more likely to embrace the culture and practice mindful habits.
After you create a culture of security, you need to sustain it, and employee recognition can help. Even an informal announcement about recent issues that have been brought to the attention of the security team can boost engagement and make people more enthusiastic about sharing what they find. This can also help maintain the lines of communication between the Security team and the rest of company, which is important. People need to feel encouraged to ask questions and voice concerns without judgement.
Partnerships between Security team members and team leaders can be helpful, too. At 1Password, we’ve created the Security Ambassador program which has a member of the 1Password Security team paired with a senior member of every major business group in the company. They meet weekly to relay information, and discuss any issues or questions. A program like this leads to better relations between the security team and the company as a whole, and issues and bugs are spotted sooner in their respective processes.
But don’t stop there! Continue to offer training and other learning opportunities, and keep documentation and resources handy and up to date so your culture can only grow and thrive.
By the numbers
The statistics surrounding this subject are murky at best. In 2014, IBM reported human error was the cause of an astounding 95 percent of data breaches. Last year, they lowered their estimate to 23 percent. Also in 2020, a joint study conducted by Stanford University and security firm Tessian placed it at 88 percent. Verizon almost agrees. Others have it somewhere in between.
Even if human error accounts for just one quarter of all data breaches, that’s pretty significant — especially given it’s something we can easily improve (relatively speaking). And that improvement can have more benefits than just organizational security. Open communication among teams and better morale are things you should aim for in general.
When you create a culture of security, you greatly reduce your risk of being a statistic. Will everything be absolutely perfect, all the time? No. Strive for progress, not perfection. But reasonable policies, helpful tools, confidence, and education will help your team make the right decisions when things go wrong.
Megan Barker
Security Scribbler
Tweet about this post