Practicing Good Cyber-security is Everyone’s Responsibility

“Practice makes perfect” applies to many aspects of life - and it’s especially true in the world of information security. The complexities and magnitude of today’s cybersecurity challenges can be daunting for many organizations, but the World Economic Forum’s recently-published Cybersecurity Guide for Leaders in Today’s Digital World provides a practical guide.

Is it full-proof defense against cyberattacks and security breaches? Unfortunately, there are no silver bullets. But the guide contains ten basic tenets for today’s business leaders to incorporate into their company’s day-to-day operations. Diligent application of these tenets - and making them a part of your corporate culture - will go a long way toward reducing risk and increasing cyber resilience.

Paige Adams, Chief Information Security Officer, Zurich Insurance Group.

As the WEF guide indicates: today’s cybersecurity leaders are now viewed as business leaders, working to protect data without business interruptions. Still, not every executive is a cybersecurity professional, nor do they necessarily need to be. It’s important, however, that those who have a primary responsibility for cybersecurity in an organization communicate risk effectively among their colleagues across the business.

Zurich Insurance Group uses a risk-based framework to achieve this, called the Integrated Information Security Baseline (IISB). The IISB harmonizes security efforts across the global organization and helps business leaders – business unit CEOs, COOs, CFOs – better understand and manage key cyber risks. Jointly managed by the first and second lines of defense, it comprises key risk indicators that touch on several of the WEF guide’s tenets. However, its primary benefit is helping to achieve the tenth tenet: creating a culture of cybersecurity.

What does it mean to have a strong cyber security culture? Again, it’s not about making everyone in the organization a technical expert on the latest cyber threats, but there are a few things to keep in mind:

• Nearly all individuals in an organization have access to information that is valuable to cyber criminals. That could be information with value in its own right, such as personally identifiable information that can be sold on the dark web, or information such as credentials that can be exploited and used to further burrow into network systems and access other critical systems.
• Many data breaches are enabled by unintentionally risky behaviors, such as selecting weak passwords or sharing account login credentials.
• Most importantly, the bulk of today’s cyber threats achieve their goal through the human element: targeting individuals through phishing and social engineering.

And here’s are a few tips that organizations can use to increase their cybersecurity culture:

• Create a framework for managing risk that can be understood across the organization, even by non-cybersecurity professionals. It doesn’t need to be a comprehensive measurement of all risks. But it should use key risk indicators that are representative of the main risk areas in order to provide an overall barometer of cybersecurity risk and keep it part of the business conversation.
• Make sure cyber is part of the dialog at the highest levels of the organization. If the CEO is talking about phishing awareness, there’s a good chance that this will become a priority at all levels.
• Create a security education and awareness function and appoint a senior leader that has responsible for running security awareness campaigns and overseeing security training. The leader of this function should be empowered to work with colleagues across various business functions, in order to design programs that address needs of different employee specialties.
• Create incentive programs to reward and reinforce positive security behaviors. For example, phish simulation training could be made more enjoyable through gamification and giving small prizes for those that report the most phishes.
• Many companies have a mandatory annual training requirement, but you can also find ways to make engaging “bite-sized” security training available throughout the year. This can be delivered through fun quizzes, cartoons, or security-focused mini webisodes, e.g. the “Restricted Intelligence” series available through the Twist and Shout Group.
• Ensure employees know the right channel to quickly report suspicious activity and make sure this information is easily recallable and accessible. Even better, have multiple channels for communication: IT help desk, dedicated cyber reporting phone line, email, or even SMS or social media messaging.
• Communicate, communicate, and communicate! In order to keep cybersecurity top of mind, it should be communicated frequently and continually through multiple channels. Company newsletters, blogs, digital signage, posters, etc., can all be good venues for promoting anything from a cybersecurity tip of the day or slogan, to an interview with a top company executive on the topic of cyber fraud.

Remember that in every company, everyone is a security champion. We all have a responsibility to stay educated and aware, and to support the cyber security team in implementing best practices.

From Paige Adams, Chief Information Security Officer, Zurich Insurance Group