Every organization needs to create a culture promoting cybersecurity
Every organization, large or small, needs to create a culture promoting cybersecurity. The mission is developed in the boardroom, and through education, training, and awareness, the message makes its way to the backroom.
Cybersecurity in the workplace is the focus this week as Navigant continues its series to recognize National Cyber Security Awareness Month, an observance sponsored each October by the U.S. Department of Homeland Security and the nonprofit National Cyber Security Alliance.
Navigant’s global legal technology solutions information security team offers five simple tips on how organizations can develop a culture where every employee shares the responsibility to identify, prevent, and react to cyber threats.
Develop a Framework
Every organization needs to develop a cybersecurity policy framework to provide guidance on how to detect, prevent, and manage cyber attacks. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is the most widely used system. But it isn’t the only one. Government agencies and energy companies might be fine with the NIST framework. But hospitals and other healthcare organizations also need to comply with the Health Insurance Portability and Accountability Act Security Rule. Audit and finance organizations conform to the Control Objectives for Information and Related Technologies framework. Every organization should study the Center for Internet Security’s CIS Controls, 20 basic and advanced cybersecurity actions to address the most common attacks.
Conduct a Gap Analysis
A gap analysis allows an organization to assess its current level of internet security and what it needs to do to reach an optimal state of security. A gap analysis looks at an organization’s cybersecurity policies and procedures, the IT systems, the organizational chart and employees, its cyber attack response systems, and its communication processes. The goal is to understand the present state of security and develop goals to achieve an ideal state of security.
Engage Outside Experts
Having selected a cybersecurity framework and identifying the weaknesses in the system, organizations often are tempted to make the corrections on their own. This is the equivalent of a person using the internet to self-diagnose an illness or injury. Proper security requires outside expertise. Like a physician, a cybersecurity expert can best diagnose the maladies and write a prescription to achieve stronger security.
Review Security Policies
It’s not enough for an organization to have its cybersecurity policies stashed in a binder or sitting on a server. Every employee needs to be educated in the policies, regularly trained, and then tested about their knowledge level. Effective organizations offer ongoing training sessions for employees, and annual data privacy and security tests to assess how well they understand the cybersecurity policies and procedures.
Join Industry Organizations
Companies should be involved with professional organizations and associations to stay current on how cybersecurity is being addressed across industries. Professional trade associations provide a conduit for companies, and sometimes post news and alerts about cyber threats affecting an industry. Hackers use the same methods to gain access to computer systems of other companies across an industry. But unless companies are involved in professional organizations and associations, they’re not going to learn about an attack that is threatening multiple firms within an industry.