1 / 25

Creating a Culture of Cyber-Security

This article explores the importance of creating a culture of cybersecurity within organizations. It discusses the impact of major data breaches, the role of employees and stakeholders, the influence on business processes and technology systems, and the need for awareness and education. The article also addresses the challenges of promoting security practices and provides insight on how to implement and communicate security policies effectively.

cshinn
Download Presentation

Creating a Culture of Cyber-Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Creating a Culture of Cyber-Security

  2. If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees. — Kahlil Gibran

  3. Why Cyber-Security?

  4. Major Data Breaches

  5. Defining Security • The ability to protect information and access • To keep and maintain the trust of citizens, customers, clients and stakeholders • What will your culture allow

  6. Organizational View (Security Practice)

  7. Ahhh The People! • Security affects not only the employees but, • Stakeholders • Customers/Clients • Business Partners • Service Providers

  8. Processes • Security affects Business Process in terms of, • Work-Flow • Business continuity • Work Practices • Accessibility

  9. Technology • Security affects Technology systems… • Software applications • Connectivity (Wired and Wireless) • Servers • Desktops • Storage Devices • Jump Drives • Cloud Storage such as Drop Box or One Drive

  10. Getting everyone to think about security • Without adequate awareness, we may neglect to consider security leading us to: • Open unknown email attachments • Select obvious weak passwords • Become complacent about warning messages • Example: Windows warning messages and automatic updates • Failing to backup important data

  11. The need for awareness • 2012 Information Security Survey: • 46% cited employees lost or leaked information • 62% cited a virus or malicious software infected their systems • 30% cited that data ownership and protection is completely understood • Organizations cite that 10% of budget is spent on IT Security • Price Waterhouse Cooper 2010: executive summary quote: “Given the rising level of breeches seen by the survey it is more critical than ever that organizations raise security awareness among their users.”

  12. Promoting SecurityHow is it Done? Source: DTI/BERR ISBS

  13. It’s not enough! • Awareness alone is not enough • Even security-aware employees can reject and disobey the rules • Going beyond awareness requires buy-in • Everyone needs to understand, accept and engage with security as part of their natural behavior • This is unlikely to be the default position • We have work to do!

  14. What the future looks like…

  15. How does your Organization View Security? • No one encounters security for a good reason • Usually to prevent threats or when a threat has occurred • May mean more work added or some type of inconvenience • Some feel like they need to have it, but don’t actually want it • Policies can be viewed as something that protects the organization and not necessarily the individuals

  16. Security Fatigue • Everyone become overwhelmed with keeping up with security practices • Technical requirements • Physical requirements • Poses threats to the organization’s networks if not addressed • Employees can become overwhelmed `

  17. Example of Security Fatigue • Remember Vista and the UAC (User Access Control) • A feature of Microsoft to help with security • When you wanted to run a program, you had to give permission to do so… • Great Idea in theory, but bad implementation! • Users eventually turned it off! • Other Examples of Security Fatigue

  18. Implications of Security Fatigue • We will find workarounds • Turning off automatic updates • Fatigue is not limited to technology-based solutions • Physical security and procedural activities • By ignoring security practices, it creates opportunities for data breaches and viruses

  19. Creating a Culture of Security(Avoiding Security Fatigue) • Security aspects that promote understanding and acceptance • What is the organization’s security policy • What must be done to comply with it • The benefits to the organization and the individual (Where possible) • The implications of non-compliance

  20. Implementing the Security Practice • Cannot simply rely on writing and adopting the policy • No one reads it or possibly understands it! • There will be variations to acceptance • Some will be far more directly responsive than others • Some will need a more targeted approach. How does this affect my day to day work (self-interest) • Others need to be persuaded, convinced and/or engaged • We must be intentional about our security practices

  21. Levels of Security Compliance…Building the Culture Degree of Compliance Degree of non-compliance

  22. Challenges of a Security Culture • Inability to understand or quantify security threats • Technical Vulnerabilities • Unable to measure the severity and probability of risk • Budget considerations “Do we have the money to do this” • Assumption that security practices will inhibit or interfere with job performance or business production

  23. Conclusions • Security needs to be promoted and communicated in different ways • It is easy to focus upon the technology and forget the people that use it • Volume alone is the not the answer • More awareness may not deliver more tolerance • Targeting communication efforts are very valuable (Quality vs. Quantity) • Personalize the message based upon the users • Needs to have Senior level partnership/sponsorship

  24. Contact Information Maurice A. Ferrell mferrell@sog.unc.edu Phone: 919-843-5284

More Related