How to build a culture of security

How to Build a Culture of Security1.jpg

As Security Portfolio Director, I’m often asked, "Where do we begin to start increasing our security?"

I always answer, "Your people."

We’re seeing new data and security breaches every day, at all levels. The Australian Census Bureau failure shows us that governments are as vulnerable as organisations and small businesses. Read more about the Census 2016 failure

With the emergence of Internet of Things (IoT) technology, we're more connected to devices and the internet. With it comes a rise in potential security breaches. There's more threat to network security and data security. Read about IoT security risks

It’s a lot to stay on top of – especially when you’re trying to focus on your customers. So how do you prepare your business to face security risks and transform cyber security into a positive enabler? What kind of security solutions should you think of? See Spark's security solutions

Start with your team to build a culture of security

A culture of security is all about the people in an organisation. It's about their understanding of the organisation’s mission and the risks posed by cyber threats – and how security plays a critical role.

The right culture of security will align behaviour with security policies and procedures. Otherwise, people look at security as a hurdle and a drag - something to get around or a box to tick.

Three systematic steps that protect your assets

Instilling a culture of security is no different to communicating any other business priority. You want to make it relevant to your team. Educate them about their responsibilities, the benefits and the consequences.

1. Establish clear responsibilities and decision making processes

The role of overseeing security should sit at the executive level. It’s so much greater than an IT or tech issue and needs to be treated as more than a cost.

For example, as IoT expands, the remit of cyber security will grow beyond IT. This means that teams will need to work together. When plants, machinery and vehicles become connected, threats or vulnerability have to be addressed by many parts of the business. Think: engineering, health and safety, legal and IT teams.

You want to think in terms of a security model, not just technologies. So build a security framework with policies and guidelines that address stages such as:

  • preparation and defences before an attack
  • detection during an attack, and response
  • remediation and recovery after an attack

2. Build awareness

First, explain to staff why good security matters. Explain what risks look like and how cyber threats could affect the business.

Teams need to be aware that your customer data holds a lot of value. It’s your legal obligation to look after data. It’s often this data that hackers try to access. You need to protect it like any other valuable possession.

Create positive and negative examples about the use of devices, passwords, and dissemination of customer data. Staff can then get a picture of what "good" looks like and what kind of behaviour can lead to security breaches. If your policy statement says "Do not email customer data" or "Don’t reuse passwords across applications", it's not effective. You must explain the "why" of policies. Make sure employees are aware of the potential consequences. Read about Dropbox's leak

3. Make information security a business enabler

The time has passed to ignore security. Take advantage of mobility to keep your team connected. Use messaging, apps and cloud services for better customer experiences. But don't forget to maintain a good security posture.

With a focused, human approach and a commitment to a culture of security that starts at the top, you can build a security-first mentality and provide continuity of service with confidence.