How to create a culture of cyber safety

null

2017 will go down in history as the year global ransomware damage costs exceeded $5 billion according to Cybersecurity Ventures, due in part to the largest ransomware outbreak ever seen (WannaCry) and a data breach which exposed the personal information of almost 50 per cent of the U.S. population (Equifax).

A dark shadow was also cast over the bright horizon of 2018 with the disclosure of the Meltdown and Spectre vulnerabilities, leaving practically every operating system and device at risk.

Keeping up with the relentless churn of cyber security updates can be a challenge. However, it’s a worthwhile exercise, helping businesses understand what’s currently happening, what could happen and the steps you can take to prevent disasters.

Here’s how to build a cyber security culture to keep both your data and your reputation safe:

#1 All Aboard

Despite 75 per cent of UK companies placing cyber security high on the list of business priorities, often the task of protecting everyone falls on the shoulders of the IT department.

Yes, IT is likely to have the most knowledge when it comes to attack surfaces and protections, but as we’ve seen from recent major data breaches, security is everyone’s responsibility.

Inevitably, a business will have digital front-runners, followers and usually a few employees who are slower to adapt to technology processes. To cater to all three, regular training workshops hosted by in-house or outsourced experts is a must.

Ditch the tech-jargon and keep things simple. Try to make training relevant to employees’ lives outside the organisation and show them how they can use it to protect their personal online security as well, which will resonate far more effectively.

Once everyone understands what’s at stake, they’ll be less likely to skip security tasks, take risks or cut corners, which can leave your data vulnerable to being lost or stolen.

#2 Reliable processes

If it isn’t already, information security and privacy should be built into every internal process.

GDPR is almost here, placing new legal obligations on every business for how data is handled, stored and protected. Those falling short of the mark face a potential fine of up to 4 per cent of global revenue.

However, keeping your network in line with modern demands is not easy in today’s borderless world where personal and work devices are interchangeable and employees work outside the corporate network. Make sure all employees, those working on-site and remotely, are informed of any updated protocols to keep defences strong and to promote accountability.

Adopting a certified Information Security Management System can provide you with a strong, risk-based starting point to demonstrate you’re applying appropriate measures across business activities to protect personal data.

In the event of a breach of GDPR, your adherence to an approved ‘code of conduct’ or certification such as ISO27001 may be taken into account when the value of any fine is set.

All the same, GDPR extends beyond Information Security Management so it’s important you take this into account when preparing for compliance.

#3 Manage your periphery

One of the most famous, and largest, third-party compromise were the Paradise Papers, which leaked more than 13 million private tax files and exposed instances of offshore tax avoidance by major corporations, governments and celebrities.

These high-profile data breaches imply a business is only as safe as its weakest link, which can exist internally or as part of your supply chain. So, once your own business is in order, you should turn your attention to your external network to check partners are in sync with your own security values.

Take the time to really understand your business relationships. Which vendors are using what data, how are they using it and what protections do they have in place? The answer isn't holding back on outsourcing, but to implement the correct systems and checks at every stage of a partnership.

Adding a contractual obligation for high-security standards, instant notification if a breach occurs and a clause indemnifying you from loss due to a security law is recommended.

Regular third-party audits, like sending out simple questionnaires, is a good method to get written confirmation of security protocols. In the worst-case scenario, you’ve got a paper trail to prove you take security and GDPR requirements seriously.

#4 Get personal

More than thirty major tech companies recently signed a commitment to protect public data and improve security. This comes after the shocking revelation nearly 87 million Facebook users had their data harvested and used by Cambridge Analytica, without their knowledge.

Customers have every right to know who has access to their data, how it’s being used and whether it’s adequately protected and one thing’s for sure, there is a long way to go when it comes to winning back consumer trust.

A stricter notification regime is coming with GDPR, where every qualifying company must report significant breaches to the supervisory authority within 72 hours, inform individuals of a breach with high privacy risk for them and maintain an internal data breach register.

Don’t make the same mistake as Uber, who tried to conceal a large data breach (affecting 57 million customers) for almost a year before Bloomberg finally broke the story. The best advice, (and more importantly your legal obligation!), is not to keep a breach schtum as this will just cause further damage to your already dented reputation.

Transparency should be a central principle of your cyber security culture and this extends to your customer base. If you’re unlucky enough to experience a breach, your customers should be told straight-up as soon as possible.

You need to inform them of the estimated date of the breach; provide a jargon-free summary of the incident; information on the nature of the data stolen and the measures you’ve taken to limit the damage.

Another good thing to include is a list of actions they can take to mitigate any further damage (e.g. changing passwords and logins or installing software updates).

The benefits of today’s technology do not come risk-free and unfortunately, data breaches are just part of the reality of doing business in a thriving digital society. However, building a culture of cyber safety into the core of your organisation can help minimise risk and protect your reputation, so if the worst does happen, you’ll be prepared no matter what.

Adam Louca, Chief Technologist – Security, Softcat
Image source: Shutterstock/Sergey Nivens