Hello! My name is Teresa Devine, and I am a business transformation advisor here at Cisco. I help large enterprises in retail and hospitality define and execute digital transformation strategies. A key area of interest of mine is security: As a former Fortune 500 CIO and acting CISO, I understand the demands and complexities that retailers face, and certainly security is at the top of the priority list.
Companies today face big challenges in securing their networks to prevent malicious malware, hackers, and the threat of the kind of data breaches that make major and costly headlines. Yet despite these real threats to brand reputation, the fact is that employees are actually one of the greatest security risks to your organization, whether by accident, through ignorance, or due to active malice.
To protect against these internal threats, you need to foster a culture of security that supports long-term prevention and decreases business risk. This includes establishing a strong information security governance and awareness program. I’d like to discuss four simple but effective ways to help grow a security culture and mindset.
1. Take a Top-Down Approach
First, take a top-down approach and champion the information security awareness program at the executive security committee level. Part of an effective information security program and strategy should include such a committee to steer and govern security policies, procedures, and security-related decisions for the company. Gaining sponsorship and support from this committee is key to the success of the awareness program. Culture is driven from the top, and when executive leadership openly supports and promotes a culture of security, the adoption rate will increase dramatically.
2. Train New Hires on Security
Second, be sure that every employee is exposed to your security measures right from the start by incorporating security awareness training into the on-boarding process. It is common to have a large population of employees who are not aware that storing sensitive PI (personal identification) data such as credit card numbers or social security numbers can cause a risk to the company. Including information security training videos and compliance testing into on-boarding is a great way to educate new employees about sensitive data procedures and other important policies to protect the company and integrate a security-focused mindset. Employees want to do the right thing and will welcome the opportunity to become part of the solution.
For existing employees, host lunch-and-learn sessions and require a compliance training. For free training videos, awareness posters, and other resources, visit the website of the SANS Institute, a non-profit security organization.
3. Keep Security Top of Mind
Create an information security newsletter, posters, and other internal materials to educate and promote awareness. Partnering with the marketing team is a great opportunity to develop great-looking information security collateral and also helps strengthen cross-departmental teams. Adding security awareness topics, tips, and insights into existing company newsletters is another effective way to increase awareness and leverage existing methods at a low cost.
4. Engage and Reward Employees
Engage with your employees to help foster a security-minded culture. Perform social engineering tests and reward those who pass the test or report real security threats. Social engineering, in the context of information security, refers to the psychological manipulation of people into performing actions or divulging confidential information. A common method that hackers use to manipulate employees is to disguise themselves as the company IT support desk and request login credentials from the employee in order to enter company systems and retrieve private and valuable data.
Other methods include phishing emails. In one incident, for example, fake emails were sent to HR departments supposedly from company leaders, requesting copies of all employee W-2 forms. Unfortunately, many HR departments complied! Other emails may purport to come from a reputable sender in order to bait employees into clicking on links embedded in email messages. The executed link then automatically downloads viruses or other malicious attack.
These four steps are a great way to get started with creating a more secure company culture.
Cybersecurity is shifting quickly as a growth advantage, and retailers who have already adopted this are seeing the benefits. Security is critical to a solid digital strategy, ensuring agility in meeting accelerated digital market demands and to support rapid innovation during this time of digital disruption.
You’ll be hearing from me again on this and other topics – I look forward to speaking with you and receiving your comments. In the meantime, for more information on social engineering, please go here. And, for more great ideas and resources on how Cisco helps to foster a culture of security, please go here.