Improving Organizational Cybersecurity Through Cultural Change

September 23, 2020
Improving Organizational Cybersecurity Through Cultural Change
Resiliency within an organization can be improved through better security practices.

An important component to reliable security is employee behavior. Employees are a part of any cybersecurity efforts’ success or failure. In this article, we’ll look at several key areas related to improving organizational cybersecurity.

Operational Security and Accessibility

Improving enterprise security is about more than updating security protocols. It requires that employees follow the new protocols. A report from Shred-it found that 47% of cybersecurity incidents were related to employee error, as reported by CNBC These incidents included loss of devices or critical documents.Sometimes security incidents are as simple as employees giving out their passwords or providing access to information for coworkers who shouldn’t have such access. A survey from IS Decisions discovered that 48.8% of employees answered yes to the questions, “I already have shared by passwords or login details.”Changing employee behavior is no small feat. But discussing the ramifications of poor security practices with employees can have a positive impact on their behavior.

"If they're not aware of cybersecurity before we hire them, we'll make them aware," Charlotte Gibb, co-owner of the Walnut Creek, California developer that supplies software to the hotel and hospitality industry, said to CNET. "Our customers are often targets of cyberattacks and so we have to be very alert as to how this might affect our customers. We take cybersecurity very seriously."

Secure Storage and Verification of Data Backups

The importance of the relationship between storage of data and its security is mentioned in a paper produced by SNIA (Storage Network Industry Association), “Few other elements in the IT infrastructure have a more important relationship with data than that of storage systems. They may also be the last line of defense against an adversary, but only if storage managers and administrators invest the time and effort to implement and activate the available storage security controls.”For data security administrators, they must juggle what’s known as CIA:

  • Confidentiality — access only to authorized users.
  • Integrity — reliability of data.
  • Availability — data is available to everyone in the organization who is authorized and needs access.

Securing data is a very dynamic task. It can’t be sealed off because then it becomes useless. But it can’t be open either because then it becomes vulnerable. Whatever security is put in place must also allow practical access without overly burdening users.

There’s a delicate balance that must remain in place between access, security, and convenience.

A startling stat from a 2017 report by Washing DC-based Clutch found that 58% of small businesses are not ready for data loss. Even scarier is that 60% of SMBs that lose data will close within six months.Data backups are more than backing up data. Validating backups is a big part of any thorough backup process. Automated backup validation helps determine if there is anything wrong with a backup. However, automated backup validation can’t tell if you if your data is accessible. Just because it looks fine on disk and the backup didn’t encounter any problems doesn’t mean everything is ok.To fully determine if backed up data is truly intact requires restoring the backup. That’s a resource-intensive process and not one that can be done every day. As the saying goes, restore as much as you want to lose.It doesn’t mean every backup needs to be restored and checked. But periodically checking backups through restoration provides peace of mind that you can’t get through automated methods.

Controlling Access to Information at Various Sensitivities

Controlling access to information means granting access to only authorized persons. Within a group of authorized persons, each person may have specific access. Levels of access increase with more privileges.As an example, new hires may have the lowest level of access. Contractors may have a level above new hires and so on. Some people may only have view access while others have read/write access. What access someone has depends largely on that person’s role and their need for access to data.Software developers often need access to lots of data for testing. Developers auto-generate data for testing, but using real data can present edge cases, providing more thorough testing. In this case, real data can be obfuscated so that personal information is not identifiable. Software developers are able to then run tests on this “cleansed” data that better match real-world scenarios.

In-person communication with staff about security will have more impact than an email blast. Letting staff know how bad practices can impact customers is also effective. Staff should attend regular security training. All of these efforts show staff that the company is serious about its security initiatives. Additionally, customers will benefit from improved security methods and practices.

Acknowledgement: Sources are provided for informational and reference purposes only. DeWitt has no vendor affiliations, offers no products, and has no conflicts of interest.
Ready to start?
Schedule a free consult to see if we are a fit and start achieving your goals. We can also design a custom package for your business.
A new perspective
Our latest thinking on the issues that matter most.
Help & support
We're here to help with any questions.
X icon.