Building a Security Awareness Culture: A Leadership View of IT Security

Written by David Mauro@Transform20207 years ago

Share Tweet

For decades, IT security and the risk of a data breach was solely a worry of the IT department. Those days are gone. They’ve been gone for a while, yet we still come across leaders who fail to understand: IT security and a data breach are the responsibility of the C-suite.

A data breach involves the loss of everything that matters. Everything that makes your organization unique (differing value proposition, intellectual property, customer lists, etc) is at risk of being taken. In fact, the odds are more likely than not that you will be targeted. Criminals are not overly sophisticated hackers cracking into systems late at night nor are most of them foreign governments with political goals.

Today, due in large part to RaaS (Ransomware-as-a-service) and the ease of purchasing this code online, anyone with marketing abilities can enter this lucrative, albeit illegitimate, field. Those obtaining this stolen data flip it for non-traceable currency, which acts like internet cash, called Bitcoin.

Death, Taxes & Ransomware

If you don’t yet know about Ransomware, odds are that you will. Ransomware is well-known software code used to extort money from people and organizations. There are many recent examples throughout central Ohio and the Columbus area, taking down systems for days or weeks, and costing companies their reputations and many their jobs. By many counts its malicious code is contained in 1 out of every 130 emails sent in the US every day.

The US Department of Justice recently stated that 4,000 reported ransomware attacks occur every day in the US. Those are estimated to only be 1/100 of the actual number of attacks.

Culture Shift: Ransomware-As-a-Service

It’s no surprise that Ransomware, the weapon of choice for the digital mafia, has now expanded into the “as-a-service” world. It’s now ridiculously easy for criminals to extort money digitally. This “as-a-service” model means non-technical criminals can use a simple “point-and-click” user interface to build their own ransomware. In fact it’s so common that companies compete on the Dark Web for criminals’ ransomware business.

Once the code is purchased, the criminals create a marketing campaign like any other, send an eBlast and collect their money. If you’re on the other end of it, that is where chaos ensues and livelihoods are damaged.

Crime Marketing & Customer Service

Ransomware is big business. The FBI estimates that that single type of breach will top well-over $1Billion in 2017. It’s growing. The first quarter of 2016 had more attacks and breaches than all of 2015. So far 2017 is gearing up to be the highest on record.

It’s so popular that criminals provide wide ranges of marketing (video, ads and events) to capture market share as well as customer service to help make the transactions run smooth.

They provide CRM-type platforms where one can track their ransomware “campaigns” like any other eBlast campaign, generating reports and evaluating ROI.

This allows ransomware to now be built and distributed by many more criminals. Namely, non-technical criminals.

A non-tech criminal can buy ransomware for about $400, and generate 50 times that in ransom in just days. The lure of that fast cash (Bitcoin which then gets converted to cash without trace) is the fuel in the engine of ransomware.

It can be stopped, not by spending tons of money of systems though. Ransomware is just a tool used by criminals and crime is not going away.

Awareness has to be ingrained in the culture, and culture comes from the top. The best way of protecting your organization is through promoting a culture of security awareness.

Culture Includes “Security Awareness”

It’s essentially a breach of a leader’s fiduciary duty to expose personal and private data to untrusted and unknown parties. A data breach attacks and takes the very heart of an organization and gives it to the enemy.

At the end of the day, nobody wants to do business with any organization that will hurt them. In this sense, injury comes from a data breach. There are hundreds of examples of leaders of large and small organizations who have been forced to resign after a data breach.

Bottom line: there’s a new era of accountability at organizations of every size.

Whether it’s a reliance on “the way it’s always been” or the mistaken belief that IT is only the IT Department’s problem, only the tasks to get it done rests with IT.

The old approach that “it’s an IT thing” is a dangerous mindset. If a server goes down or a PC malfunctions, you can still blame IT. But when a data breach occurs, it’s generally not due to systems failing. It’s usually human error from an untrained staff.

The solution lies in a proactive collaboration between IT and C-suite decision-makers. One involving a layered approach of next-generation systems and a culture including security at all employee-levels.

A security awareness culture needs to be created for all employees and the education needs to be ongoing through a regular cadence.

Leaders Decide Culture

The organization’s culture is the responsibility of the C-suite. Every organization has a culture, regardless of whether they realize it. Most startups and companies seeking to hire millennials focus on the benefits of their culture, which is valued higher than pay for many millennials. Culture is a set of common beliefs. It can often be a combination of formal policies, best practices, morale and vision. It comes from decision makers and company leaders. An organization’s culture needs to include IT security. It’s not just for the IT department to worry about.

IT security must be treated as a shared experience. It’s a daily due diligence every employee must understand. Best practices must be customized and implemented to fit your culture.

In our consulting and IT strategy for clients, we explore ways to build proactive cultures and expand the base to include IT security awareness. It’s the difference between productive business and becoming a statistic. We hope it helps. Stay safe.

David is a CIO-level consultant, trusted advisor, and strategic planner who focuses on guiding clients about IT security at All Covered IT Services. His goal is to expand the culture of an organization to include IT security as an integral part of its culture. All Covered leverages advances in technology to improve IT service models within organizations.