JD Harris is CEO of Ascent Solutionsthe partner to solve the most challenging cybersecurity problems.
It is now time for cybersecurity policies to become as ubiquitous and accepted as workplace security policies. Cybersecurity is where physical security was 40 years ago: there are few rules or standards, and the ones that exist often feel arbitrarily imposed. Cybersecurity is not an expected or regulated part of corporate culture. This is a critical juncture not only in the cybersecurity landscape, but also in basic corporate behavior. It’s time for leaders to drive cultural change that underpins cybersecurity policies and makes them as necessary as security and compliance standards.
Years ago, factory work was incredibly dangerous and unregulated. There was no external governing body to oversee factory safety measures. There were no safety posts or signage distributed in the work area. It wasn’t until workers fought for industry standards that entities like OSHA began to provide safer environments. Safety meetings, equipment maintenance and protective barriers became standard. Incidents are now publicly discussed – manufacturers have signs announcing the days or years since the last accident. Before the 1970s, however, workplace safety expectations were rare and accidents were routine.
Picture this: a new employee enters a factory and their supervisor tells them to figure it out on their own. So they start pushing buttons, moving levers and maybe even hanging around with the circular saw – just like an unsupervised toddler. If someone cut off a grade, employers would quietly send them to the hospital, and the employee would go back to work as if nothing had happened. No one talked about the accident or tried to fix the machine that caused it.
In this century, such events seem ridiculous and would not be acceptable in any organization. Yet this is how we treat our companies if we don’t create a culture of cybersecurity.
As of 2022, cyberattacks are costing the U.S. economy on average $9.44 million, rising year after year. Due to the advanced methods of hackers, no person or company is immune from cyber problems, even people who do not own a laptop. Today, companies are even more vulnerable to cyberattacks for the same reasons that caused tragic workplace accidents: low standards and no oversight. This has to change.
Fight for cultural change
Culture change is the first step to take if we expect our businesses to be protected from cyber-attacks. Just like security measures implemented across industries to protect workers, we need a cross-industry focus on digital safety and cybersecurity. Our broader culture needs to understand that cybersecurity is just as important as wearing helmets and neon vests on a construction site.
Business leaders are responsible for cultural change within their organizations to ensure they thrive in both the short and long term. This requires mimicking certain behaviors that will better protect your organization (ie taking more time to read something before clicking on it or searching for funky URLs and addresses that are different from the usual sources of information). It also takes a conscientious effort to incorporate cybersecurity measures into the work environment, just as you would address any other threat (such as physical building security or security with machines and systems).
Master the fundamentals
Protecting your business doesn’t have to be complicated. There are basic routines that organizations need to follow – multi-factor authentication, pen testing, threat hunting, wiping sensitive data from old devices, etc. – these are table stakes. Every organization must master these. Perform maintenance: Regularly patching and updating all software and firmware helps each device function optimally, but also provides critical fixes for emerging vulnerabilities.
Team members must understand that these are daily, ongoing practices. Foregoing steps such as multi-factor authentication, pen testing and threat hunting are the cyber equivalent of a surgeon not washing his hands before surgery or a traffic cop going to work without a regulatory safety vest. Everyone needs to understand that these cybersecurity measures allow the real work to begin.
Software alone will not solve cybersecurity problems
Technical solutions such as anti-malware software are only effective when used in conjunction with employee education. Ongoing training should be required for all stakeholders, including third parties who have access to your organization’s information. Employees should also be trained to understand and report insider threats so that your company can act quickly when those threats arise. Discuss your organization’s “crown jewels” that need special attention, provide a case study of past breaches, and teach them to recognize signs of a security incident. Having a conversation about possible problems at the organizational level is a healthy habit to learn.
Cybersecurity is a never-ending journey
Cybersecurity is an ongoing journey to understanding the level of risk and threats your organization faces and responding accordingly. Leaders and their teams need to understand that cybersecurity regulations are just as important as physical safety regulations. Understanding common threats, educating your employees on what to look for, and learning the best practices to secure your company’s digital assets are essential steps in mitigating the frequency and severity of these attacks.