Biden Signs Executive Order Addressing AI
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
President Joe Biden issued an executive order (EO) on Oct. 30, 2023, to establish standards for artificial intelligence (AI) safety and security, protect privacy, advance equity and civil rights, and advocate for consumers and workers. It also seeks to promote innovation and competition and advance American leadership around the world while ensuring responsible and effective government use of AI.
Directed Actions
The EO seeks to build on the voluntary commitments of 15 leading companies by:
- Requiring developers of the most powerful AI to share their safety test results and other critical information with the U.S. government
- Developing standards, tools and tests regarding AI’s safety, security and trustworthiness
- Protecting against the risks of using AI to engineer dangerous biological materials
- Protecting against AI-enabled fraud and deception by establishing standards and best practices for detecting AI-generated content and authenticating official content
- Establishing an advanced cybersecurity program to find and fix critical software vulnerabilities
- Ordering the development of a National Security Memorandum on AI use and security
The EO also seeks to address privacy concerns by calling for the passage of bipartisan data privacy
legislation and directs actions to prioritize federal support for accelerating the development and use of privacy-preserving techniques. It calls for action to strengthen privacy-preserving research/technologies and privacy guidance for federal agencies, develop guidelines for federal agencies to evaluate the effectiveness of privacy-preserving techniques, and evaluate how agencies collect and use commercially available information.
To advance equity and civil rights, the EO directs actions to provide clear guidance to landlords, federal benefits programs and federal contractors; address algorithmic discrimination; and ensure fairness in the criminal justice system. In support of workers’ rights, the EO calls for actions to develop principles and best practices, produce a report on AI’s potential impacts on the labor market, and study and identify options for strengthening federal support for workers facing labor disruptions.
In the pursuit of innovation and competition and advancement of American leadership, the EO directs action to catalyze AI research; promote a fair, open and competitive AI ecosystem; and expand the ability of highly skilled immigrants with expertise in critical areas to study, stay and work in the United States through existing authorities. The EO directs action to expand bilateral, multilateral and multistakeholder engagements to collaborate on AI; accelerate the development/implementation of vital AI standards; and promote the safe, responsible and rights-affirming development and deployment of AI abroad.
To ensure responsible and effective government AI use, the EO directs action to issue guidance for agencies’ use of AI, help agencies acquire specified AI products and services, and accelerate the rapid hiring of AI professionals. The White House states the administration will work with allies and partners to govern the development and utilization of AI. For more information, contact us today.
- Published in Blog
Cyber Liability – Zero Trust Security Explained
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Traditional cybersecurity protocols can’t keep up with the rapidly evolving modern workplace environment. The complexity of hybrid work, the rising number of fully remote employees and the dramatic increase in the use of cloud-based systems make traditional perimeter security ineffectual. A new security model is needed to keep the corporate network safe. This model is “zero trust.”
Zero trust is adapted to the modern workplace. It embraces mobility and protects people, networks, applications and devices, regardless of their location. Review the following guidance to learn why zero trust is important, how it works and how it can benefit your organization.
What Is Zero Trust?
Traditional network security trusts the identity and intentions of users within an organization’s structure. This puts the organization at risk from malicious internal actors and rogue credentials by allowing unauthorized and uncompromised access to the organization. The phrase “trust, but verify” is often used to describe traditional network security approaches.
The zero-trust approach removes the concept of trust from within an organization’s structure. With zero trust, a data breach is assumed with every access request. Every access request must be authenticated and authorized as if it originated from an open network. The concept “never trust, always verify” is emblematic of the zero-trust approach.
What Are the Benefits of Zero Trust?
The zero-trust approach is one of the most effective ways for organizations to control their network, applications, and data.
This is especially important today, as companies expand their infrastructure to include cloud-based applications and servers. The growing usage of locally hosted machines, VM and Software-as-a-Service products, and a dramatically increasing number of remote employees have made it difficult for organizations to secure their systems and data.
Implementing a zero-trust approach benefits companies in a wide range of ways, including:
- Minimizing your organization’s attack surface—By granting the lowest level of access possible for users and devices to perform their essential functions, organizations can minimize the affected area within their organization should a breach occur.
- Improving audit and compliance visibility— The first step to implementing zero trust is for an organization to know what devices exist and which credentials are on each device. In this way, devices are constantly kept in an audit-ready state.
- Reducing risk, complexity and costs—All access requests are vetted prior to allowing access to any company assets or accounts. This dramatically increases real-time visibility within the organization and helps prevent costly data breaches.
- Providing Layer 7 threat prevention— Layer 7 refers to the application level of the Open Systems Interconnect model. This layer identifies communicating parties, supports end-user processes and applications, and consults privacy and user authentication. By establishing who can access the different levels of your organization at any given time the zero-trust approach stops unauthorized users or applications from accessing your organization’s crucial data and prevents the unwanted exfiltration of sensitive information.
- Simplifying granular user-access control— Zero trust requires an organization to define which users may access certain aspects of an organization. As a rule, each user is granted the least privilege possible to perform their necessary functions.
- Preventing lateral movement—Segmenting the network by identity, groups and function allows organizations to contain breaches and minimize the damage from a hacker who was allowed to move freely within the organization’s perimeter.
How Does Zero Trust Work?
By combining a wide range of preventative techniques, including identity verification, behavioral analysis, microsegmentation, endpoint security, and least privilege controls, implementing a zero-trust approach can significantly reduce an organization’s risk of becoming a data breach victim.
Zero trust relies on three essential principles:
- Verify explicitly. Every user request must be authenticated and authorized using all available data points. This step is designed to ensure the person or application requesting access is who they say they are.
- Use least privileged access. Users should be given the least amount of access necessary to perform their authorized functions. Just-in-time (JIT) and just-enough access (JEA), risk-based adaptive policies and data protection can all help secure data and user productivity.
- Assume breach. Use end-to-end encryption to prevent data from flowing to undesired endpoints. Use analytics to drive threat detection, improve visibility and enhance defenses.
How Can I Implement Zero Trust?
Zero trust is relatively simple to deploy. Adopting the principles of zero trust doesn’t require any costly products. Use the following principles to employ zero trust at your organization:
- Define the attack surface. To adopt a zero-trust framework, your organization’s critical data, assets, applications and services must be identified. This critical information forms a “protect surface,” which is unique to every organization.
- Create a directory of assets. Determine where the sensitive information lives and who needs access to it. Know how many accounts there are and where they connect. Consider removing old accounts and enforcing mandatory password rotation.
- Adopt preventative measures. Give users the least amount of access necessary to do their work. Use multifactor authentication to verify accounts. Establish micro-perimeters to act as border control within the system and prevent unauthorized lateral movement.
- Monitor continuously. Inspect, analyze and log all data. Escalate and store logs with anomalous activity or suspicious traffic. Have a clear plan of action for how to handle anomalous activity.
For additional risk management guidance and insurance solutions, contact us today.
- Published in Blog
Endpoint Detection and Response Explained
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Endpoint detection and response (EDR) is a cybersecurity solution that continuously monitors security-related threat information and endpoint data to detect and respond to ransomware and other kinds of malware. It provides visibility into security incidents occurring on endpoints—such as mobile devices, desktop computers, laptops, embedded devices and servers—to prevent damage and future attacks. This article discusses the importance of EDR solutions, how they work and the types of threats they can detect.
The Importance of EDR Solutions
According to the Identity Theft Resource Center, nearly 294 million people were impacted by 1,682 data breaches at U.S. corporations in 2021. As cyber threats grow more sophisticated and frequent, and remote work more common, these advanced attacks have become more difficult to identify in real time. Therefore, it’s important for organizations to prioritize cybersecurity measures that can deflect, analyze and respond to the constant barrage of cyberattacks. EDR solutions can provide a number of features that improve an organization’s cybersecurity risk management, including:
- Improved visibility—EDR solutions continuously collect data and analytics before compiling them into a single, centralized system. These insights can give security teams full visibility into the state of a network’s endpoints from a single console.
- Rapid investigations—Since EDR solutions automate data collection and processing, security teams can gain rapid context regarding incidents and take steps to quickly remediate them.
- Remediation automation—Security teams can allow EDR solutions to automatically perform certain incident response activities based on predefined rules, enabling them to block or rapidly remediate incidents.
- Contextualized threat hunting—The continuous data collection and analysis provided by EDR solutions can allow threat hunters to identify and investigate potential signs of an existing issue.
How Do EDR Solutions Work?
EDR solutions offer advanced threat detection, investigation and response capabilities—including incident data search and investigation triage, suspicious activity validation, threat hunting, and malicious activity detection and containment—by constantly analyzing events from endpoints to identify suspicious activity. These tools provide continuous and comprehensive visibility into what is happening in real time by recording activities and events taking place on endpoints and all workloads. By generating alerts, security teams can uncover, investigate and remediate issues. The primary functions of an EDR security system include:
- Monitoring endpoints and collecting activity data
- Analyzing data to identify threat patterns
- Using behavioral analysis to detect anomalies
- Removing or containing identified threats
- Notifying security personnel
- Researching identified threats and searching for suspicious activities
Overall, EDR solutions can be used to shorten response times for incident response teams and eliminate threats before damage is done.
What Types of Threats Do EDR Solutions Detect?
EDR is an integral part of an organization’s complete information security posture. It can detect the following threats to a network:
- Malware, including spyware, ransomware, viruses and bots
- Misuse of legitimate applications
- Stolen user credentials
- Suspicious user activity and behavior
- Fileless attacks during which malicious software is not installed and therefore more likely to be missed by anti-virus tools
Conclusion
EDR solutions are helpful in protecting both the enterprise and the user while also adding value to a company’s integrated approach to cybersecurity.Furthermore, they are frequently required by insurance underwriters in order to obtain cyber insurance. For more risk management guidance, contact us today.
- Published in Blog
Extended Detection and Response Explained
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Extended detection and response (XDR) is a security solution that offers organizations end-to-end visibility, detection, investigation and response across multiple security layers. Unlike endpoint detection and response (EDR), XDR provides a holistic view of threats across the entire technology landscape rather than only those within managed endpoints. This article explains what XDR is and how it works, outlines the benefits of XDR and discusses how it compares to EDR.
What Is XDR and How Does It Work?
XDR uses data collected across multiple security layers to provide IT and security teams with real-time, actionable threat information. By utilizing extended visibility, analysis and response across endpoints, workloads, users and networks, XDR can help organizations reduce blind spots, detect threats faster and jump-start threat remediation. Essentially, XDR helps security teams:
- Recognize advanced and hidden threats
- Detect and follow threats in and across various systems
- Improve the time it takes to detect and respond to threats
- Improve the threat investigation process
There are several components of XDR that provide organizations with a wider grasp of threats via the following:
- An analysis of internal and external traffic—XDR can identify cybersecurity threats even after they’ve bypassed system perimeters.
- Integrated threat intelligence—XDR learns from attacks on other systems to detect similar events in its own environment.
- Machine learning-based detection—XDR can detect zero-day and nontraditional threats that bypass signature-based methods.
The Benefits of XDR
XDR adds value to organizations by combining multiple security offerings into one incident detection and response product. Benefits of XDR include:
- Greater visibility and context—Threats that utilize legitimate software, ports and protocols can often slip past system defenses undetected. With XDR, security analysts can see threats on any security layer. It can also offer insights into how an attack happened, who was affected and how it spread.
- Improved prioritization—As cyberthreats become increasingly frequent, it can be difficult for IT and security teams to keep up with security alerts. XDR can help prioritize threats by grouping related alerts across the framework and presenting the most important ones.
- Enhanced automation—XDR’s automation abilities allow IT teams to handle a large volume of data and consistently execute complex processes.
- Faster detection and response—Since XDR is continuously monitoring the technology landscape, it enables organizations to detect and respond to threats faster than before.
- More sophisticated responses—XDR can tailor specific systematic responses and leverage other control points to minimize the overall impact of the affected endpoint.
How Does XDR Compare to EDR?
XDR is an evolution of EDR—a cybersecurity solution that continuously monitors security-related threat information and endpoint data to detect and respond to ransomware and other types of malware. However, EDR can only detect and respond to threats inside managed endpoints, which limits the scope of threats that can be detected. In contrast, XDR goes beyond the capabilities of EDR by analyzing all security layers and offering organizations a more holistic view of threats.
Conclusion
In an increasingly complex threat landscape, XDR solutions can provide organizations with flexible and efficient security enforcement and remediation. For more risk management guidance, contact us today.
- Published in Blog
No Holidays for Hackers: Higher Revenue Losses for Non-weekday Cyber Events
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Ransomware events that occur on holidays and weekends cause much higher revenue losses than cyber incidents occurring on weekdays—primarily due to lower staffing levels—according to a survey of over 1,200 cybersecurity professionals.
Security firm Cybereason found that nearly half (44%) of organizations drop security staffing levels on holidays by as much as 70% andnder a quarter of respondents reduce their security staff by 90% from normal weekday levels. Just 7% of organizations have at least 80% of their security professionals available on holidays and weekends.
The impact is clear: one-third of respondents said they saw a much greater financial toll from weekend and holiday attacks, up from 13% in 2021’s study. The losses were even higher in the transportation and education sectors, where the number of respondents reporting higher revenue losses jumped to 48% and 43%, respectively.
“Ransomware actors tend to strike on holidays and weekends because they know companies’ human defenses often aren’t as robust at those times,” said Lior Div, Cybereason CEO and co-founder. “It allows them to evade detection, do more damage and steal more data as security teams scramble to mobilize a response.”
The study also revealed slower risk assessment times during breaks, with 60% of respondents saying it took them longer to fully understand the scope of the attack. This, in turn, slows down recovery time and adds costs.
Cybercriminals already know holidays and weekends are prime attack times, especially as the strain of relentless cyber events takes its toll on security professionals. In fact, multiple high-profile cyberattacks have occurred on holidays. In 2021, hackers made headlines on Mother’s Day weekend (Colonial Pipeline), Memorial Day weekend (meat supplier JBS Foods) and the Fourth of July (software vendor Kaseya). This year might be even worse, according to a few respondents.
“This November/December is going to be particularly rough, as it’s going to be the first time some people have been able to see their families since the pandemic began. All of that means that people will be further from the office and less likely to check alerts,” said one security analyst in the legal sector.
The survey indicated a few areas where organizations can improve their resilience to off-hours cyber events. More than a third (36%) of organizations said they had no business continuity plan, despite observing other companies’ struggles to bounce back. Of those firms that have already experienced a ransomware event, nearly a quarter (24%) still don’t have a ransomware-specific contingency plan.
Some industries are better prepared than others. Specifically, the IT/telecommunications sector and construction firms were most likely to be prepared, with 84% and 81% of respondents indicating they have plans in place for weekend and holiday events. Manufacturing (67%) and health care (65%) were less prepared, despite these sectors’ potential for high revenue losses or loss of life.
- Published in Blog
Credential Stuffing
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
If and when you get hacked, it’s easy to think cyber criminals used some high-tech program or code to gain access to your accounts. The truth is, however, that data breaches aren’t always this sophisticated, and all malicious parties need is a little trial and error to steal your personally identifiable information. This tactic is known as credential stuffing, and it’s becoming a common tool for cyber criminals of all kinds.
Simply put, credential stuffing attacks are when a malicious party takes a stolen username and password and tries it on a variety of different websites. For example, a hacker may have purchased your Google username and password from the dark web.
Assuming that you use the same password for multiple accounts, the hacker would test these credentials on other platforms (e.g., banking or social media websites) using botnets (groups of computers tasked with various commands). Essentially, by using information from one account, criminals can potentially access data from a variety of platforms, draining bank accounts or gathering information they can sell to other malicious parties.
Credential stuffing can affect everyone, from individual users to the biggest companies. In fact, a Yahoo breach that impacted approximately 500 million users was largely carried out using credential stuffing.
Thankfully, because credential stuffing relies on victims having the same password for multiple accounts, there are some simple ways to protect yourself:
- Avoid using the same password for multiple accounts—Credential stuffing works because many users use the same password for multiple accounts. Be sure to change your passwords often and never use the same password across different accounts.
- Use two-factor authentication—While complex passwords can deter cyber criminals, they can still be cracked. To prevent cyber criminals from gaining access to your accounts, two-factor authentication is key. Through this method, users must confirm their identity by providing extra information (e.g., a phone number or unique security code) when attempting to access corporate or personal applications, networks and servers. This additional login hurdle means that would-be cyber criminals won’t easily unlock an account, even if they have the password in hand.
- Create strong password policies—For employers, ongoing password management can help prevent attackers from compromising your organization’s password-protected information. You’ll want to create a password policy that requires employees to change their password on a regular basis, avoid using the same password for multiple accounts and use special characters. Long passphrases are becoming increasingly popular as well, and may be a good option for your organization.
- Provide security training—Even the most robust and expensive data protection solutions can be compromised should an employee click a malicious link or download fraudulent software. As such, it’s critical for organizations to thoroughly train personnel on common cyber threats and how to respond. Your employees should also know your cyber security policies and know how to report suspicious activity.
For additional cyber risk management guidance and insurance solutions, contact us today.
- Published in Blog
Patch Management Explained
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Patch management is the process of acquiring and applying software updates to a variety of endpoints, including mobile devices, computers, servers and embedded devices. Installing patches regularly is necessary to correct errors, help protect data and optimize system functions. This article provides information on how a consistent approach to patching and updating software can limit exposure to various exploits.
What Are Patches?
Patches modify operating systems and software to improve security, fix bugs and improve performance. They are created by software developers and address vulnerabilities attackers may target.
Why Is Patch Management Necessary?
Patch management is necessary for the following reasons:
- Security—Hackers look to exploit cybersecurity weaknesses. Installing patches fixes software vulnerabilities and therefore reduces an organization’s cybersecurity risks.
- Compliance—Regulatory bodies or government agencies may require organizations to adhere to patch management standards. Meetings those requirements can help businesses avoid sanctions, fines or penalties.
- Feature improvements—In addition to addressing security issues and fixing bugs, patches can also offer feature and functionality improvements to help software run smoothly.
- Minimize downtime—With the enhancements that patches provide, programs may run more efficiently. This can increase production by helping minimize downtime and improving the user experience.
How Is Patch Management Performed?
The patch management process can be carried out by a company’s IT team, an automated patch management tool or a combination of both. Steps in the patch management process include:
- Identifying IT assets (inventory) and their locations—Taking stock of IT assets and where they are located is a crucial first step in the patch management process. This is especially important as employees increasingly work remotely.
- Identifying critical systems and vulnerabilities—Being aware of critical systems and identifying and tracking vulnerabilities are also key aspects of patch management. It is important to take note of existing security features (e.g., firewalls and antivirus software) and what they are protecting against. With this information, an IT team can more readily determine which systems need to be patched when vulnerabilities are discovered or reported.
- Testing and applying patches—Before applying the patches to all systems, it is best to test them on a representative subset of IT inventory. This can help ensure the updates will not create unforeseen issues. Once testing is complete, begin rolling out the patches to the rest of the assets. It is advisable to do this in batches, as this can help identify potential issues before they become too widespread.
- Tracking progress and maintaining records—During the rollout, it is advisable to keep track of the progress being made. After the patches have been successfully installed, it is essential to keep accurate documentation that notes which assets have been updated.
Conclusion
Having a comprehensive patch management process not only increases a company’s cybersecurity posture and helps keep the business running smoothly, but it also is a practice frequently required by insurance underwriters in order to obtain cyber insurance. Contact us today for more information.
- Published in Blog
Double Extortion Ransomware Attacks
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
In recent years, ransomware attacks have steadily been on the rise. These incidents—which entail cybercriminals compromising a device or server and demanding a large payment be made before restoring the technology (as well as any data stored on it) for the victim—are one of the most damaging cyberattack methods, incurring an average of $1 million in total losses per incident.
As these attacks become increasingly common, numerous ransomware techniques have also emerged. Specifically, double extortion ransomware attacks are now a potential cybersecurity concern for organizations across industry lines. This technique follows a similar protocol to that of a typical ransomware attack, but comes with an extra threat—the victim must pay a ransom not only to regain access to their technology and data, but also to keep that data from being uploaded publicly online.
Double extortion ransomware attacks are particularly concerning, seeing as these incidents can further pressure organizations to comply with ransom demands in order to keep their data private. Review the following guidance to learn more about how double extortion ransomware attacks work and what your organization can do to prevent such an attack.
How Double Extortion Ransomware Attacks Work
To outline the general framework of a double extortion ransomware attack, this technique starts out like most other ransomware incidents, in which a cybercriminal first gains access to their target’s device or server—often via phishing scams, nonsecure websites or malicious attachments. From there, the cybercriminal is able to compromise the victim’s technology and encrypt data stored on it. Then, the cybercriminal delivers their ransom demand and accompanying consequences for noncompliance.
Contrary to a typical ransomware incident, however, these consequences are twofold. That is, failing to pay the ransom could result in the cybercriminal both permanently restricting the victim’s access to their technology and sensitive data, as well as sharing this data publicly on the internet. Although double extortion ransomware attacks can occur at any organization, these incidents are most common within establishments that store a considerable amount of sensitive data. This includes health care facilities, financial institutions, government organizations and large retail businesses.
Double extortion ransomware attacks can be significantly more damaging for affected organizations than typical ransomware incidents. This is because even if organizations have protocols in place (e.g., storing data in multiple secure locations) that allow them to recover their compromised information without paying a ransom, they may still be pressured to do so in order to keep their data from going public. After all, a data breach can lead to further ramifications—including reputational damages, regulatory fines and class action lawsuits.
What’s more, cybercriminals who conduct double extortion ransomware attacks are known to demand higher ransom payments, sell or trade stolen data to other attackers for future extortion attempts and still move forward with sharing data publicly even after the ransom is paid (whether on purpose or by accident)—making these attacks all the more damaging.
Preventing Double Extortion Ransomware Attacks
When it comes to combatting double extortion ransomware attacks, it’s important to prioritize standard ransomware prevention measures. This includes conducting routine employee training on how to detect potential ransomware risks (e.g., suspicious emails or attachments), implementing policies that prohibit browsing nonsecure websites on organizational servers or devices, and installing adequate security features on all workplace technology (e.g., a virtual private network, antivirus programs, data encryption software, email spam filters, an internet firewall and a patch management system).
In addition to these key prevention measures, the best course of action for reducing double extortion ransomware attack risks is to establish an effective cyber incident response plan for your organization. This plan should explicitly address double extortion ransomware attack scenarios and outline steps that employees should take to limit the damages during such an event.
Lastly, it’s vital to secure appropriate insurance coverage for ultimate peace of mind in the event of a ransomware attack. A dedicated cyber insurance policy can offer much-needed support and resources when an attack occurs, minimizing the potential damages and financial impact on your organization.
For additional risk management guidance and insurance solutions, contact us today.
- Published in Blog
Creating a Cybersecurity Culture
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Employees are an organization’s first line of defense against cybercriminals. For this reason, they are also commonly targeted. In fact, the vast majority (88%) of data breaches are caused by employee mistakes, according to Stanford University. Unfortunately for organizations, a single mistake can result in costly losses, reputational damage and lost or stolen data.
In order to keep your organization safe from cybercriminals, cybersecurity must become an integral part of company culture—something that is valued and upheld by every member of the organization. Cybersecurity should be top of mind for every employee when choosing whether to click a link, open an email or download documents from the web.
This article contains tips for improving employee engagement and creating a cybersecurity culture that will help protect your organization against cybercriminals.
Cybersecurity Culture Explained
An organization’s security culture will not grow on its own. To transform security training into everyday practices, organizations must invest in their security culture and constantly nurture it. A strong and resilient cybersecurity culture can benefit an organization in a number of ways, including:
- Protects the organization against cyberthreats and data breaches
- Strengthens customer trust and loyalty
- Improves brand reputation
Although many organizations recognize the benefits of having a cybersecurity culture, they may fail to successfully create one for multiple reasons. One of the most common reasons is a lack of employee buy-in. In fact, one survey found that 60% of organizations don’t believe they have successfully achieved employee buy-in for cybersecurity practices. Lack of executive buy-in is also a common cause of failure. This may result from outdated thinking that cybersecurity only belongs to the IT department or a lack of understanding about the pervasiveness of the issue.
Fortunately for organizations, the main stumbling blocks to creating a thriving cybersecurity culture can also guarantee success if leveraged effectively.
Best Practices
When cultivating a cybersecurity culture, organizations should consider the following best practices:
- Engage the C-suite. Senior executives are sometimes resistant to adopting good cyber hygiene. This has to change if your organization is going to create a successful cybersecurity culture. Employees need to see management leading by example if they’re going to buy into a healthy cybersecurity culture. Encourage leaders to join the conversation and reinforce that cybersecurity is every employee’s responsibility.
Additionally, senior executives are one of the biggest targets for cybercriminals. Ensure they are doing their part in upholding cybersecurity values by teaching them how to identify and defend against targeted cyberattacks.
- Inspire ownership of cybersecurity. Clearly communicate what’s at stake to your employees and explain that your organization needs their help. It’s not enough to simply explain changes to security protocols. Ensure employees understand why these changes have been made and what you’re trying to do to protect the organization. It’s imperative that employees understand that no security system is foolproof and, therefore, it’s up to them to minimize threats and avoid unnecessary risks.
- Create engaging cybersecurity programs. Cybersecurity training should not be presented as a one-off occurrence. If you want your employees to embrace cybersecurity as part of their culture, provide fun training based on real experiences. Consider leveraging discussion forums, online games, in-person training and mock phishing exams as part of your holistic approach to cybersecurity learning. Brief and frequent lessons will also be more digestible and remind employees that cyber awareness is part of their corporate life.
- Bring back the basics. When discussing cybersecurity, many organizations make the mistake of skipping basic training. This can cause confusion and prevent core cybersecurity values from resonating with employees. According to one survey, 50% of all employees haven’t had formal cybersecurity training, and 96% keep passwords saved on their devices for easy access. When creating and teaching good cyber hygiene, don’t forget basic principles such as strong password policies, two-factor authentication and limits on security, downloads and network access.
- Make it easy. Ensure employees know where to report suspicious emails and how to check the authenticity of work-related communications. Whenever possible, encourage open lines of communication between your employees and the IT department. This will help encourage employees to proactively reach out to IT for help or to report mistakes.
- Celebrate success. Make cybersecurity part of performance reviews and reward systems. It is also beneficial to acknowledge employee successes one-on-one by expressing appreciation or offering rewards for their commitment to your organization’s cybersecurity goals.
Conclusion
When workplace cybersecurity is treated as a simple check-the-box exercise, costly mistakes can occur. Teaching employees to value and take responsibility for their actions can help organizations reduce their chances of becoming a victim of a cyberattack.
Contact us today for more cyber guidance.
- Published in Blog
- 1
- 2