Editor’s note: Throughout Cybersecurity Awareness Month in October, the ISACA Now blog will publish new posts on hot security topics each week. For additional ISACA cybersecurity resources, visit our Cybersecurity Awareness Month page.
One of the best ways for an organization to reduce cyber risk is to build a culture of cybersecurity. This entails creating a mindset in employees that the risk is real and their daily actions impact that risk. Cybersecurity culture is important as it helps protect company assets from hardware to data. It needs to be part of a broader corporate culture of day-to-day actions that encourage employees to make thoughtful decisions that align with security policies. A security culture is more than just cybersecurity awareness. It requires the workforce to know the security risk and the process to avoid that risk. It’s the building and enforcement of following an operating process of tasks that keeps the firm safe. Most organizations have spent years and countless resources to acquire and create their data asset, and if it is lost, stolen or corrupted, it could impact their bottom line for years to come.
The news is littered with companies that were targeted due to inadequate security. Most of these could have been avoided by simple security standards followed by the employees. Ninety percent of cyberattacks are caused by human error or behavior. An organization is more likely to be compromised from employees losing their laptop or cellphone, inserting a flash drive into their computer or opening up a mysterious email than a malicious criminal hack from the outside.
Enterprises spend millions of dollars on hardware and software but neglect the simple act of properly training their employees on security practices. Teaching employees to recognize threats, curb poor behavior and follow basic security habits can be the best return on investment. However, it can be difficult to measure and therefore justify the expense. Trying to quantify the return on investment in employee training and building a culture of security can be difficult to sell to upper management. In many cases, management does not believe that just training their employees can reduce their exposure to cyber losses.
One example is a phishing email. Ninety percent of cyberattacks start with a phishing email. Yet most employees believe they would know how to recognize a phishing email and would not act to the request in the email. However, according to the Verizon 2019 Data Breach Investigations Report, 30 percent of all phishing emails are opened and 12 percent of the links are clicked. With nine out of 10 ransomware infections coming from some form of phishing event, investing in employee training about phishing emails can reduce risk significantly. In 2020, ransomware is a fast-growing cyberthreat to business, especially in the COVID-19 environment. It is now even more important to invest in employee training. Because the majority of ransomware comes for phishing events, if an enterprise can reduce team members from acting on phishing events, they can save many headaches down the road.
An enterprise-wide cybersecurity culture can save millions of dollars, improve reputation and alleviate years of problems.
Editor’s note: For further insights on this topic, read Paul Frenken’s recent Journal article, “Building a Culture of Security,” ISACA Journal, volume 5, 2020.