Security culture and the human element of cybersecurity

Over the past decade, digital transformation has been a core focus for growing industries. From eCommerce to online education, medical records to app-based insurance claims, companies across industries have been on a steady trajectory of technological growth. But in 2020, slow and steady growth became fast and furious change. The way the world works was altered virtually overnight ... and likely for good.

Today, 72% of organizations offer hybrid work options for employees, and 43% say they will keep hybrid work options going forward.

While there were many variables involved in the specifics of how companies responded to this tipping point and its ramifications, three overarching trends have emerged:

1. The rise of remote and hybrid workforces
2. The need for ubiquitous, accessible information
3. The evolution of company culture

Unfortunately, the quick pivots and band-aid solutions that got organizations through the pandemic until things “got back to normal,” weren't long-term solutions to build a secured, sustainable future in this new era of borderless work. Today’s companies need to understand their vulnerabilities, mitigate their risks, and drive a security culture that supports their people and protects their information.

The human element of cybersecurity

According to Verizon’s latest Data Breaches Investigations Report (DBIR), 82% of data breaches involved the human element such as stolen credentials, phishing, misuse, or simply a mistake in which information was exposed.

Mistakes are an essential part of the human experience — a valuable source of learning and growth. However, in cybersecurity, even small mistakes can lead to huge consequences. Potentially damaging missteps too frequently go unaddressed with organizations that don’t have a thorough understanding of what’s at risk. This challenge has been heightened exponentially due to the prevalence of remote working.

According to IBM Security’s 17th Annual Cost of Data Breach report, the average cost of a breach was $1.07 million higher in breaches where remote work was a factor in causing it. When employees are away from the office, they tend to be less mindful of security best practices and may adopt bad cybersecurity habits. These bad habits combined with the lack of appropriate security controls at home cause more frequent and more costly breaches.

Ransomware is always just a click away

A devastating data breach can happen to anyone. And the likelihood is greater than ever.

Verizon’s 2022 DBIR stated that ransomware has increased 13% in breaches, greater than the last five years combined. All it takes for a cyber attack to begin is for one employee to click on a phishing email or respond to a social networking message. And it’s easy to do. Hackers are clever — messages often come proxied and it can appear as if they are coming from another employee, or even the employee’s supervisor or CEO. One click grants the access, and the attack begins.

Ransomware is a type of malware that is designed to deny a user access to their computer files – typically, attackers encrypt these files and demand a ransom payment for the decryption key. Common routes ransomware uses to invade your network include credentials, phishing, exploiting vulnerabilities, and botnets.

Remote work has heightened the risk of ransomware and other malware due to employees sharing home office space, printing confidential documents on shared devices and the forming of unintentional bad habits as they give priority to completing tasks over best security practices. As ransomware attacks continue to increase in frequency and sophistication, organizations must focus on educating their people and having good processes in place that help eliminate the likelihood of an attack.

Safety first: how to drive a security culture

Protecting your organization from a cyberattack isn’t a one-and-done situation — detecting and preventing its likelihood is ongoing and requires buy-in from employees at every level. Security should be viewed as a company-wide initiative. The idea that security is the responsibility of IT departments alone is an antiquated one — organizations need to instill responsibility across roles and foster an open atmosphere around security.

Empowering employees with security awareness training is a great first step to driving a strong security culture. By highlighting processes, establishing communication channels, and clearly articulating polices, employees can more easily flag potential threats and understand what tools are available for them to use.

Rewarding employees for their contribution is also essential in building a positive security culture. Traditionally, employees view security professionals as disciplinarians for any human error they may have caused. It’s vital to turn this perception around by having your security department recognize employees for their efforts. Doing so supports a positive culture in which reporting incidents and interacting with the security team becomes standard practice.

Ultimately, establishing ongoing security training, having open lines of communication, and fostering an inclusive environment for all employees will help build a healthy security culture that keeps your company safe, strong, and thriving.

The rise of remote and hybrid workforces has made information the new currency. Your employees need it, and hackers want it. A proactive mindset is the best way to safeguard against cyberattacks, and that means putting safety first. Here are a few ways to promote a security culture in your organization.

• Identify the risks and vulnerabilities posed to your company by remote and hybrid work.
• Ensure employees understand what’s at risk through trainings and consistent reinforcement.
• Educate managers on security protocols and hold them accountable for helping to build a culture of awareness and vigilance.
• Partner with experts in data systems and solutions to safeguard your most important asset —your information. 

Source:  RICOH USA