img img img img

Importance of creating a Cybersecurity Culture.

Importance of creating a Cybersecurity Culture.

Importance of Cyber security culture

Cyber security culture every time I meet and discuss with a senior HR leader these days, I ask them a very simple question: Do you know how secure your organization is and what are you doing to strengthen your cybersecurity? I find their answers fascinating and provide me an insight into how equipped organizations are to combat the rising challenge of cyber threats.

Cybersecurity is not only an IT department responsibility, tucked away in the office of the Chief Information Officer (CIO) and/or the Chief Information Security Officer (CISO). Modern-day cyber threats are complex, well-coordinated and persistent. They are intricately planned by malicious threat actors and may even be backed by nation states.

Considering these repercussions, organizations have started realizing that employees play a key role in defining how prepared an organization is, when it comes to dealing with cyberattack. A recent report from EY indicates that employees are the weakest link in an organizations cybersecurity chain.

As per PWC’s latest Workforce Plus Survey, only 30% of surveyed employees said they received training on protecting company data and information. The survey also indicated that employees are hesitant of escalating security incidents – only 26% respondents agreed that they could escalate a security incident they had caused to their employer without fear of reprisal.

How HR can play a pivotal role?

Right from the hiring stage to onboarding and finally offboarding, the Human Resources department is a function that has a maximum number of touchpoints with all employees.

The HR department and relates shared services centers (SSCs) are also a key function when it comes to capturing, storing, and processing employee related data classified as PII (Personally Identifiable Information).

Cyberattackers can use this data for all kinds of nefarious activities. For eg : They can analyze this data to identify employees who will be onboarded ,and send them fake offer letters. Or, to use another example, they can find the CEO’s direct reportees and email them pretending to be the CEO. The above two examples are just an illustration of the kind of havoc malicious threat actors can cause. This is one of the main reason why HR departments must ensure they consider and discuss such possibilities with IT team and design policies, processes as well as establish sufficient controls which will be required to keep this data secured from external threats.

With regulations such as the European Union’s General Data Protection Regulation (GDPR) and India’s upcoming Personal Data Protection Bill, organizations are liable to heavy penalties if they are not able to keep such important confidential data secure. It is therefore necessary that HR team collaborates alongwith IT, Finance, Admin, Procurement etc…. and should take the lead towards creating an organizational culture where cybersecurity is everyone’s responsibility.

While organizations scramble to keep confidential data secure, they should also remember that data security is just one component of an overall cybersecurity program which touches every aspect of the businessIn that respect, organizations should ensure that all systems, policies, and processes must align to create the required Culture of cybersecurity.

Basis our interaction with some of our clients, we are sharing a set of questions that one should answer in pursuit of their Cybersecurity goals.

Q. Have we identified our cybersecurity strategy?

Q. Are our employees aware of correct cybersecurity practices and the repercussions of not following them?

Q. Do our employees receive sufficient education on cybersecurity?

Q. Are we assessing threats and risks regularly?

Q. Do our employees know the correct procedure to follow if they suspect a cybersecurity violation?

Q. Are there enough reinforcement mechanisms to understand the pain points?

Q. How are our policies, processes and systems complying with our Cybersecurity Goal?

I am sure when we start answering these questions, you will clearly be able to see what vital steps need to be designed and taken to accomplish Cybersecurity goal.

If you need to discuss your organizational cybersecurity requirements, please contact the author.

Related links

EY Article Your employees are the weakest link in your cybersecurity chain

PWC Article It’s time to adopt a cyber-savvy culture

Leave a Reply