Building a culture of security at your firm
The infamous Target data breach may have occurred in 2013, but it taught us a valuable lesson that continues to influence business culture today. When the company’s then-CEO Gregg Steinhafel resigned following the incident, it was a wake-up call for everyone. Suddenly, we realized how far beyond the IT department the implications of a security breach could reach, and that we are all equally responsible for ensuring our businesses are and continue to be secure. Or, at least we should have.
From a digital marketing perspective, it’s not hard to understand why. CMOs are now spending more on technology and collecting more data than any other C-level executive, including the CIO/CTO. So how do you build a security-minded culture, one where every individual is invested in following best practices that will keep your firm’s data protected? The key is to focus on four important areas:
Encourage open communication and collaboration.
Technology is no longer the domain of technologists or IT professionals alone. But they are an ally in your fight to keep your data safe. If marketing and technology departments aren’t close collaborators at your firm, that’s a problem. Both teams are responsible for different systems, so either group developing processes, policies or procedures in a vacuum would just mean creating an ill-informed plan. Work together to understand your firm’s entire digital footprint, including its potential vulnerability points, and then, as a team, come up with a plan for addressing these.
Your strategy should take three factors into consideration:
- People–Ensure all people have the right access to the appropriate tools – and no more than that.
- Process–Have a plan in place to classify your data by category (ex. public, internal, confidential and user data), manage access to this data and your tools, and review and update your software and equipment as necessary.
- Technology–There are multiple pieces of software you can use to help defend yourself. Utilize different types of protection (ex. DDoS protection or WAFs), in multiple layers. Think of them as shields.
Once you’ve established the strategy and plan, make sure to communicate it! Everyone at the company needs to know what the plan is – and understand it – if they’re going to be responsible for enforcing it.
Set high standards, and require everyone you work with to abide by them.
Another important lesson we learned from the Target breach was that security precautions must be taken by those outside of your organization as well. Third-party vendors, and even clients, can make you vulnerable to an attack. In the Target scenario, a previous breach of one of its HVAC contractors served as the catalyst for an attack on the network that housed its credit card transactions.
Ultimately, you need to hold your vendors and third parties to the same standards that you’re setting for your own company – and if they’re not willing to comply, it’s best to sever ties with them. The good news is, the Target incident helped spark a domino effect of security concern. Companies started putting more pressure on their third parties, causing those third parties to in turn demand the same from their own third parties. Before you know it, a security culture will be adopted by all. It’s table stakes at this point. Simply put, those who don’t follow security best practices won’t survive.
Create an army of innately suspicious individuals.
A vast majority of breaches start with an email phishing attack, which is an attempt to gain access to information, such as login credentials or credit card info, by disguising as a trustworthy source. Hackers try to take advantage of the easiest access points. If your technology infrastructure is sound, they are going to focus their efforts instead on breaking through a more permeable entry point – your people. Because, let’s face it, humans are fallible.
To make matters more difficult, every year these phishing attempts become more and more sophisticated and less likely to be immediately perceived as malicious. Educating your colleagues about these scams, and testing their susceptibility to them, will help reduce the likelihood of them falling for similar attempts in the future. Ultimately, it may make them more suspicious in general, but that’s almost the goal. It’s better to be safe than sorry (or dealing with a PR nightmare after a breach).
Keep adoption simple.
If you want your people to make the effort to be secure, you have to make it as easy as possible. Everybody knows that using the same password for multiple systems makes that password a vulnerability. But they also know that remembering lots of complex, unique passwords is nearly impossible. Most will eventually get lazy with their passwords to ease the burden on their brain, leaving your business right back at square one.
Firms are now considering biometrics (fingerprints, face prints, voice recognition) or risk-based escalating challenges in place of complicated passwords to ease the user experience of security measures.
For example, if an individual creates a password that is 20-random-characters-long and not easily crackable, and there is no perceived threat of malicious activity associated with the individual’s account, that password would not need to be changed on a regular schedule. Instead, the user would only have to update his or her password if, say, the system is alerted to multiple failed login attempts. Or perhaps that individual doesn’t have to remember a password at all because they log in by scanning their finger instead. At the end of the day, the easier it is for someone to comply with security standards, the more likely they will continue to do so on a regular basis. Luckily, technology is making it so that “easy” doesn’t always have to mean weak or susceptible to hacking.
Remember, security is the responsibility of every individual at your organization because the firm is only as strong as its biggest vulnerability. If you work together to make sure everyone involved is aware of and follows your processes and procedures, you’ll be a much stronger force to reckon with.
As Director of Technology, Zach Peer leads the managed hosting team at One North. He establishes and maintains the appropriate policies, procedures and controls for One North’s hosted offerings and works to ensure the availability, security and performance of the hosting environment – which he modeled out of Legos (playing with Legos is one of his passions, both with his kids and without).
If I were a vegetable: I’d be a Cucumber because they are cool (and tasty on sandwiches).
Last thing you geeked-out about: Backyard Chickens