One of the challenges – perhaps the biggest challenge – to achieving cybersecurity is complexity. Every day we are faced with new threats as hackers display their creativity and new technologies and approaches to addressing those threats. Governments, both U.S. and foreign, regularly propose laws and regulations better to protect us – and to confuse us. And underlying all of it is technical language which seems designed to prevent us from understanding the challenge of cybersecurity.
It’s no wonder that one of the things our clients most often ask is where to start – what is one thing that they can do to start the process of becoming cybersecure. And the fact is that there is one thing that will put you on the road to cyber security: Creating a culture of security.
While many firms claim to have a “culture of security,” it’s unclear that they have made the commitment to engage every aspect of their operations, and every one of their personnel, in the goal of creating a cybersecure environment. Cybersecurity requires a firm to create in each of its personnel a “human firewall.”
An enterprise-wide focus on security requires a focus on people, not on technology. However important security technology may be – and we do not suggest that a company skimp on its technology budget! – most technological defenses can be overcome by individuals, whether through lack of training, negligence, or malice. Consequently, bringing individuals into the cybersecure culture and making them stakeholders will have an immediate and measurable impact on cybersecurity efforts.
So, then, how is a cybersecure culture achieved? A few essential steps are required:
- Management Buy-in. Perhaps most importantly, training for cybersecurity must be introduced at every level of the organization from the top down. When the “lowest” ranked employee sees the company owner or senior management attending training sessions, that employee will recognize that the enterprise places value on cybersecurity.
- Create a Sense of Ownership. Just as important as setting an example is ensuring that each employee knows that they are responsible for cybersecurity. Each employee must develop a sense of ownership and control so that they understand their role in a secure environment. This will create compliance not just by IT professionals and designated personnel, but by the entire enterprise.
- Quality Training. Mandatory training programs are often seen as meaningless rituals which are necessary to “check the box” and quickly forget. Cybersecurity training, in contrast, requires meaningful and memorable training. The programs should be tailored to the enterprise; a one size fits all program will not convey conviction or seriousness to the participants. Those giving the program must be able to encourage and address participation. And because training needs to be repeated regularly, the program must be updated and refreshed.
- Policies and Procedures. As with training, policies and procedures are often seen as documents to be received and stored. In contrast, security policies and procedures must be living documents that have impact on actions. Moreover, a firm must recognize that security is embedded in many policies, not just those that are created for that subject. Document control, social media policies, physical security all impact cybersecurity, so that a regular review of all policies should be considered to determine how they can help focus the firm on cybersecurity.
Informed and aware personnel can stand as the first and best defense against attacks. As employees learn to identify and defend against phishing, false web pages and other threats, they and their firms will reap a significant benefit and become part of the solution to cybersecurity.
Achieving cyber security is a significant challenge; however, by utilizing the most important of a company’s assets – its personnel – a company can create a culture of cybersecurity and fulfill the goal of a cybersecure environment.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.