3 Tips for Creating “Cybersecure Corporate Culture” at Your Firm

12/19/2017

corporate culture cybersecurityThere are four essential cybersecurity threats in today’s digital business environment, per Wade Baker, associate professor of integrated security at Virginia Tech’s Business Information Technology program:

  • Cybercriminals – Malefactors who use techniques such as phishing and ransomware to breach corporate networks and disrupt operations or steal data for illicit economic gain.
  • Cyberespionage – Nations attacking companies, or companies attacking companies, using malware and other techniques to disrupt operations, steal data and/or intellectual property for competitive reasons.
  • Activists – People who use internet techniques such as DDoS assaults to disrupt operations and/or damage the reputation of organizations they oppose.
  • Unknowing Insiders – Employees of a company or employees of trusted partners and contractors who knowingly or unknowingly assist cybercriminals.

Any company of any shape or size in any industry could be at risk from one or more of these threat factors at any given time, as digital business transcends physical borders and functions 24 hours a day. This modern reality has given rise to the Cybersecure Corporate Culture concept, in which all technology users, from entry-level personnel to c-suite leaders, share responsibility for safeguarding an organization’s digital assets, such as confidential data and brand reputation.

Fighting cyber threats is a “whole company issue,” Baker says in a special report for the SmartBrief on Security newsletter, because everybody involved in the organization, including its partners and contractors, is a target.

“Take a phishing email, which is used in cybercriminal activity and cyberespionage campaigns,” Baker offers as an example. “If the employee clicks on it, then their computer is infected, and it spreads from there to compromise other computers and servers throughout the network.”

So, how do you create Cybersecure Corporate Culture at your firm? Baker and his colleagues shared several tips in the SmartBrief report. Here are three keys we gleaned for you:

  • Include everybody in the defense force
    Baker believes that all employees and trusted partners should feel like they are “part of the defense of the organization.” Per Baker, employees can find breaches faster than intrusion detection systems by noticing suspicious situations and investigating on behalf of the company before alerting IT staff. In addition to regular cybersecurity awareness education and training, he suggests gamifying cyber vigilance. For example, employees could receive bounties for intercepting – and not clicking – phishing emails.
  • Bring down the walls between departments
    David Raymond, deputy director of Virginia Tech’s IT Security Lab, encourages a cooperative, collaborative relationship between business and IT operations. While the cybersecurity team is building a multi-layered technical defense, staff working in business operations should identify risks and vulnerabilities to help prioritize cybersecurity implementations.
  • Treat breaches like business failures rather than natural disasters
    Instead of treating breaches as events out of a company’s control, Raymond advises categorizing them as a form of business failure like neglecting to maintain an assembly line. This approach emphasizes that each person in the organization has a part to play and an obligation to perform.
We believe one of the most important aspects of cybersecure culture is adopting a strong framework for guiding policies and processes. Learn more in our “ Malware Manual ” series of posts.