This month advocates worldwide continue to shine the light on cybersecurity. In the U.S. this week’s National Cyber Security Awareness Month theme is “From the Break Room to the Boardroom: Creating a Culture of Cybersecurity in the Workplace.” We at Cisco firmly believe that people are a core component of an organization’s protection efforts, and organizations should place employees at the center of their security efforts.
Why? Because “mistakes” by employees account for one-quarter of data breaches, according to research from the Ponemon Institute.
To avoid such losses, it’s critical that organizations create a culture of cybersecurity awareness. Protecting proprietary and/or sensitive internal and customer data isn’t the sole responsibility of the IT department – nor should it be. While deploying the latest network defense tools is important, a successful cyber strategy should include developing a culture of cybersecurity within the workplace. The developers can focus on writing secure, quality code, while the human resources department and concentrate on maintaining employee privacy. It’s about instilling best practices into the day-to-day routines of the entire workforce, to the point where it is a healthy lifestyle choice in support of your organization’s ‘cyber-health’. A workforce that follows regular practices that keep data assets safe can help minimize risk.
At Cisco, we take the following people-centric steps to drive company-wide security awareness:
Educate them. According to the Ponemon Institute research, employee training reduces the cost of every compromised record by $9. Through training, websites, articles, digital signage, videos, all-hands meetings and blogs, we’re constantly educating our workforce about cybersecurity. Take phishing, for example, which is the number one source of endpoint compromises and something that any employee can fall victim to. We show employees what a phishing scam looks like, with an adversary “disguising” a malware-containing link to appear like a legitimate business inquiry, like this example:
We illustrate the proper way to obtain, classify, mark and store customer data so it is safeguarded. We make it clear that external, non-Cisco approved, cloud file sharing tools put data in danger – and emphasize the use of Cisco-approved tools.
Passwords are a simple, but big, part of our educational efforts. We teach employees how to use more effective passwords – a mix of letters and numbers and special characters – and enforce policies that require the changing of passwords on a regular basis.
Test them. Every effort to educate should involve a test, shouldn’t it? At least we try to make it fun. Remember how we show employees what a phishing scam looks like? To determine whether they’ve paid attention, we periodically send phishing emails to all employees. For those who “take the bait,” they are immediately directed to what we call the “Phish Pond,” an internal landing page. Here, our information security team explains what they did wrong, and how to avoid it in the future. Soon after that, we email to them another mock phishing attempt and, if they click on the suspect link again, we send them back to the Pond for more education.
We also make abundant use of online polls and quizzes – a quick way to reinforce best practices and behaviors to avoid. In addition, we’re collecting and analyzing responses to get a better sense of the level of knowledge of our workforce on the topic.
Make them accountable. Ultimately, we need our employees to understand that we are not requesting they apply cybersecurity hygiene to their usage of the network, computers, mobile devices, apps and data – we’re mandating it. Every year, all employees must review and sign a code of business conduct that covers a broad range of topics, including cybersecurity and data protection. With this, they are committing to a standard of accountability that defines their responsibilities to Cisco and its customers.
Our Phish Pond exercise enters the equation here too: If employees “bite” for a third time, we work with them and their managers to come up with a formal, corrective course of action – one that inevitably involves more intensified training.
Cisco’s dedication to a culture of cybersecurity awareness goes beyond being just a “workplace thing” – we’re cultivating a digital lifestyle. Our employees should completely understand that they play a critical role in the protection of our systems, data and, ultimately, the company. Like avoiding a medical virus in life, you seek to identify where and how problems happen, and change behaviors accordingly.
We stress to all our employees that this really is about business, and that we do not want our data protection policies to restrict them from achieving ROI-generating strategic goals. Guardrails, after all, do not block traffic – they keep cars from going off a cliff. From their first day to their last, our employees learn where the cybersecurity “cliffs” are – and more importantly, how to steer in the right direction.
Steve Martino is Vice President and Chief Information Security Officer at Cisco. For more information on data protection, visit trust.cisco.com.
Join the National Cyber Security Month conversation on Twitter @CiscoSecurity #CyberAware.
Clearly employees education on secure practices are key!
This is educative and informational. How can i integrate these into my company IT policy.
The best way to incorporate these approaches into your company is by partnering with IT, Security and HR to embed awareness into both the Security program and employee training/awareness programs. We align it with our annual employee code of business conduct training to make them aware of their obligations to protect the company data/resources and with the security program around the ongoing phishing tests to give them real experience and when needed on-the-spot training on helping us reduce incidents through their actions. Then we also do security specific training based on job role so it’s relevant to them and their job/processes. So seek the alignment across Security, IT and HR and go for general to specific to maximize the impact and make it relevant to each individual person.
Agreed! Cisco can provide its technology to help eliminate threats. But, without educating employees on responsible use of their connections, it will be a wasted investment. In this era of smart connected things, people don’t realize that their car’s Bluetooth can be a wide-open portal to a hacker.