Engaging global staff to build a resilient cybersecurity culture

In today’s digital landscape, cybersecurity and the constantly evolving threats from cybercriminals are a pervasive concern. The World Economic Forum’s 2019 Global Risks Report ranks cyberattacks as one of the top five risks to business, reaffirming the need for CEOs worldwide to prioritize this issue.

No organization is immune to attack, as demonstrated by recent incidents that have left large financial institutions, healthcare groups, mobile carriers and even intelligence agencies compromised. On top of more understood dangers such as data breaches, vandalism and extortion, emerging risks include C-suite attacks, AI-driven malware and assaults from the computing cloud.

The consequences of such incidents can be severe and long-lasting. Organizations usually face substantial financial losses, including legal costs and regulatory fines, as well as a decrease in brand value. Day-to-day operations might be temporarily suspended, especially during the investigation process, and if intellectual property is compromised, businesses will likely lose their competitive edge in the market.

Above all, a breach can cause serious damage to an organization’s reputation. We live in an age of heightened concerns around data privacy, and maintaining trust is more important than ever before. Once trust is broken, it often remains broken. An attack can destroy relationships with customers, as well as employees, suppliers, partners, clients and investors.

It’s evident that business owners must work harder to mitigate these threats and optimally protect their operations, employees and, above all, the customers who entrust them with sensitive data. Cyber and information security can no longer be seen as a separate business issue; instead they must be integrated within the core business operation. This means building and nurturing a culture of security within your workforce.

More than 99% of attacks require human interaction to succeed, which makes investing in human defences the most important part of any business’ cybersecurity strategy. For those who operate globally, the need for a resilient cybersecurity culture is heightened. Expansion into new territories brings additional security challenges: from understanding local regulation and legislation, to knowing how data is stored in different countries and adapting security measures accordingly.

IT expertise also tends to be centralized, but it’s crucial that staff in all regions understand the risks and take a proactive approach to identifying and mitigating them.

A documented cybersecurity policy is the foundation of building resilience here. Guided by information security standard ISO/IEC 27001, any business can create and implement an information security management system (ISMS), aligned with their strategic goals and in accordance with international best practices. ISO/IEC 27002 also helps companies develop security guidelines that meet international standards.

A comprehensive ISMS is especially important for groups spread across multiple locations or countries. It should cover all end-to-end processes related to security and define responsibilities in the event of a breach. ISO/IEC 27001 takes a holistic approach that puts effective education and awareness training front and centre, so employees readily understand risks and embrace controls as part of their everyday working practices.

A top-down approach to positive cybersecurity culture is most effective, with senior management teams using standards to optimize security-awareness training and strengthen the cybersecurity chain.

Setting cybersecurity as a standing agenda item at board meetings will help underline its importance and encourage an open dialogue, while ongoing internal communications and reminders will keep staff informed and engaged. You could also consider running phishing simulations and other training scenarios to assess specific training requirements and risk areas.

Another security area to address is the shift towards Bring Your Own Device (BYOD) working. The challenges of BYOD are more complex for larger, global corporations. It places additional responsibilities on IT departments, who must maintain an array of different devices and operating systems, while ensuring each machine is not vulnerable to known security flaws. Differing regional attitudes to BYOD might also prevent a company from launching a full BYOD program.

These situations require the right awareness and understanding from staff when it comes to their security responsibilities. Implementing an effective BYOD policy, in line with ISO 27001 requirements, will allow you to enjoy the benefits without compromising security. This should include guidelines for acceptable use of devices in and out of the workplace, password updates, encryptions and downloadable software, as well as procedures for device or data loss and onboarding and exiting processes.

Keep in mind that BYOD usually works with a cloud computing setup, which must also be managed appropriately. ISO/IEC 27017 outlines guidelines for information security controls around the provision and use of cloud services.

While striving for robust information security, privacy management must also be considered. ISO 27701 helps organizations protect and control the personal information they handle. Certification to this standard demonstrates compliance with global privacy regulations. It necessitates appropriate training for all staff that have access to personally identifiable information, further empowering employees to become your best protection against attack.  

Cyber resilience is an ongoing process, not an objective. With a standards-based approach, organizations can implement a robust approach to managing information, one that is embraced at all levels and in every region. Through creating a culture that promotes organization-wide defence, your business will be better positioned to protect itself and safeguard not only your data, but your people, finances and reputation too.