As a leader, you have a long list of priorities. It seems as though your list grows every day. Today, cybersecurity is near the top of your list, even if IT isn’t your department.
One of the pervading misconceptions about security is that it is a concern limited to your IT department. While it’s true that your infrastructure and systems are a crucial part of security, if you want to truly protect your company and its assets, then it must be a collaborative team effort.
Cybersecurity infrastructure is similar to a deadbolt or a security camera on your house. These are a form of insurance, but they only work if you don’t leave your doors and windows wide open. As a leader, your role is to not only make sure the doors and windows to your organization are closed but also to show your team members why it’s so important to make sure they lock the door behind them. Just ask Sony.
Approach Cybersecurity from a People Perspective
With so much emphasis on security architecture and infrastructure, it’s not difficult to see why so many believe that cybersecurity begins and ends in your IT department. To become a cybersecurity leader in your organization, however, you need to understand this incredibly important point: Security isn’t by-and-large a technical problem. It’s a people problem.
Any IT vulnerability analyst worth their salt will tell you that malicious actors look for easily flouted weaknesses. Rather than spend years trying to beat increasingly complex code, they rely on something much easier to predict: human weakness. When Sony experienced its security breach in 2014, it occurred not because the hackers subverted Sony’s top-level infrastructure from the outside. They got in because an employee allegedly let the hacker into the Sony office building, where they then stole passwords.
A people-first cybersecurity strategy solidifies the front lines of the rest of your security apparatus. Achieving this means both training employees on core cybersecurity practices but also providing them with an action plan to revert to in the event of a breach. The attack at Sony wasn’t a simple leak or theft: The attack obliterated the company’s internal systems and set off both internal and external firestorms. What’s worse, it had likely been going on for a year before the data dump. Sony’s response when it learned of the attack: It told employees to go home while administrators attempted to send it into lock-down.
Model Sound Cybersecurity Practices at the Top
A security-aware culture starts at the top—and that’s you. So, how do you model sound security practices? The first step is to start talking about them.
Everyone knows that security is an issue, but few people realize just how common they are and how at-risk any business is, including small to mid-sized enterprises (SMEs). When you focus on the big hacks, like Sony or Target, it seems as though hackers are only interested in high-end targets. But high-end isn’t the same as high-value. SME ignorance on the matter is in itself value to cybercriminals. Over 40% of all cyberattacks target small organizations because it’s easier to break in.
It’s also important to model cybersecurity through policy and in practice. You need to use sound password security practices, avoid using unsecured devices, and handle sensitive data properly (both online and offline). Leaders should also educate themselves on these practices to be able to call out poor practices when you see them rather than letting them carry on.
Provide Up-to-Date Education on the Latest Threats
One way to keep security at the forefront of people’s minds is to share coverage of recent attacks and their sources. Bring it up at meetings, put it in the company email, and even consider running a monthly cybersecurity sit-down for staff. Don’t just share the losses, explain how the attack happened.
Awareness also needs to go hand-in-hand with education, and it’s an area of real weakness. Only 31% of employees report receiving even annual training in cybersecurity. Educating employees on targeted phishing is a great place to start. Phishing is a threat that’s continuing to grow year-on-year: One finding from the State of the Phish report found that 90% of organizations received an attempted targeted phishing attack in 2019. You should be showing employees:
- What phishing is
- How to spot a targeted phishing email
- What other ways phishing can appear
- Where to report a phishing threat in your organization
Attackers can send out as many phishing attempts as they want. But they won’t be successful if your team knows how to spot and report them.
Employees also need to know how different threats are connected and their role in preventing those threats from breaching the company’s defenses. For example, phishing is a popular way of spreading ransomware, which is a type of software that gains control of internal data and effectively holds the organization ‘ransom.’
Lead Your Team for Strong Security Culture
As a leader, it’s your job to show your team the ropes on cybersecurity. Why? Because cybersecurity isn’t something for just the IT department to worry about. Everyone from the front desk to the C-Suite needs to have a core understanding of security so that you can all protect your house.
Cybersecurity is a moving target, which makes awareness and regular education even more important. But if you take it upon yourself to become a cybersecurity leader, you will do more than even the most expensive software to keep your team, customers, and organization safe.