To change a habit, you need to make a conscious decision, and then act out the new behaviour.
As Darwin said "It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change"
We have already explored the importance of data to organisations but who are the custodians of the data?
The people!
Individuals have access to a wealth of data for their roles, some of this will be ordinary everyday data and some of it will be highly sensitive, such as intellectual property, or perhaps a patent or personally identifiable PII.
When looking to protect data assets the most important place to start is with the people that have access to and deal with them every day.
Think about employees at a bank, perhaps staff who access the vault. They likely require different training than other staff. They will have more protocols and procedures to adhere to due to their increased access and responsibilities.
So why is the security of data assets different?
Organisations usually have an underlying, unspoken culture related to their working practices and whilst this isn't explicitly communicated to staff, activities undertaken can demonstrate learned behaviours which staff pick up on implicitly. This often means that bad practices can be passed from one person to another and if the organisation does not notice or does not care, this will, in the long term, be harmful to the business.
Every organisation is different, with its emphasis placed on different elements within the business to deliver value. Organisations tend to adopt modes of working that are conducive to achieving their goals most efficiently. Unfortunately, this can usually be at the expense of security.
The business has a decision to make related to security and that ties to organisational culture – Risk vs Reward. Although security can help to establish frameworks and controls based on business direction, it cannot control or manage how an organisation’s culture will align with them.
If culture is at odds with security direction a decision needs to be made on what is most important at the executive level. Affecting change within any organisation must be a mandate with a top-down approach. Senior individuals need to actively support employees and be seen to ‘live’ their espoused values.
Ensuring that people get on board when culture shifts is all about using the right messaging, at the appropriate time to the correct people in a suitable medium. We must consider how best to communicate with our staff, certain communication channels may work for one set of people but might not work for others. Messaging needs to be tailored to the specific audience, this is vital if you want to win hearts and minds and change behaviours.
What can organisations do to strengthen their security culture?
Organisations should start by thinking about the types of data ‘users’ they have within their business, with clear objectives to target those who are deemed most ‘high-risk’ to the business.
Some key questions to think about when considering if a group is deemed ‘high risk’:
- Why is this group targeted as high-risk?
- What could the consequences be if data is compromised?
- How can we help lower the risk?
- What type of support might this group require?
Ensuring ‘high risk’ groups are prepared for these challenges is key.
It is likely that training and increasing awareness is required. The approach and challenges faced will differ across organisations. Large multi-national corporations could have thousands of users to educate, geographically dispersed with different languages and cultures and a wider degree of skillsets and are more likely to have the resources available to help create, structure and deliver any packages in a timely fashion.
Within smaller organisations with fewer people to educate it may be quicker to deliver results and see improvements. But there does need to be a greater consideration about how you articulate correctly to the right people and whether you have the required skills in-house to deliver this education effectively.
How can Savanti help you?
Savanti have always championed information security education and awareness, both internally and for their clients, it is one of their core offerings and has helped to establish their business and develop a positive security culture.
Well-trained employees become a security asset and the first line of defence against cyber security attacks rather than an area of risk.
Many organisations are implementing Information Security Education and Awareness Training (ISE&AT) programmes to reduce their exposure to increasingly sophisticated cyber security attacks that target employees.
What else can we be doing to safeguard our data assets?
Our final blog addresses the topic of establishing proactive controls across your data through the process of data discovery and labelling. If you want to find out more about Savanti's work, then why not visit the chat function on our website or fill in the below details:
