Q: In my company, the IT directors see cybersecurity as an IT and software issue to be solved with software and hardware. How do I convince the team that employees need to also be trained on risky behaviorsome—thing that software and hardware cannot accomplish?
A: Cybersecurity is a people, process and technology issue. So it’s critical that there are policies and procedures in place to help manage and mitigate cyber risks. This involves ensuring that employees are aware of the policies, are implementing the procedures and are engaged in monitoring, and any kind of corrective action that’s needed. To do this successfully, you really have to make your employees aware of the risks, educate them on their role in mitigating them, and train them on best practices to ensure they are not contributing to risk but in fact mitigating it.
Q: When providing cyber training for your organization, should it be approached differently than other training topics in regard to frequency and duration?
A: First of all, cybersecurity training is such a critical issue for all employees that it should be integrated into the initial onboarding training that all employees receive. There should also be annual training that provides employees with a deeper level of understanding. Cyber threats evolve very quickly these days, so it is critically important that your employees (and board members) are kept informed of evolving threats throughout the year. While the majority of methods to entry into your system are understood, when new types of threats emerge, we advise keeping your stakeholders informed as quickly as possible. With this rapidly evolving landscape in mind, we recommend burst training segments designed to keep key concepts and practices top–of–mind throughout the year. Information reinforcement techniques like short quizzes, awareness posters around the office and email communications also help employees recall their cybersecurity knowledge before it is tested by a real cyber threat.
Q: In an enterprise-wide cybersecurity approach, what should be the role of the compliance team?
A: There are a few ways to go about answering this, but I think it all starts with having the ability to perform an effective risk assessment. The compliance function involves a cross-organizational approach and has the capabilities to truly identify a company’s greatest risk by developing its risk profile. After identifying and prioritizing risks, the compliance team can lead the effort in developing policies and procedures, documenting policies and procedures, and ensuring those policies and procedures are understood by a broad employee base. The compliance team understands where policies need to be quantified, where they have to be placed, and how to use codes of conduct, employee handbooks and web-based resources to disseminate that information.
Compliance folks also understand how to view cybersecurity risk through the lens of third parties and interpret how those relationships impact the company’s risk profile. Along with identifying third–party risks, the compliance function is equipped to develop and deploy training and awareness building for employees and key third parties alike. So there is a lot that the compliance group offers to bolster an enterprise-wide cybersecurity approach, and it all drives back to the department’s unique ability to create systematic ways of identifying when something doesn’t work and defining the corrective action that’s needed in response.
Q: Can you offer any advice on how to build the best case for getting more corporate resources dedicated to cybersecurity training?
A: Every day there is something in the news about organizations generally of all different sizes that have been breached and have had to deal with the impact of the loss, compromise or destruction of data. Making key decision–makers aware of the general threat landscape is helpful, but more helpful is making them aware of the threat landscape specific to your organization. It’s also key to help your colleagues understand any regulatory requirements that your organization faces in terms of government procurement, sector-specific regulations—that continue to evolve at the federal and state levels in the U.S. and around the world—or contractual or other undertakings that could require that certain information security capabilities be implemented in your company.
All of this provides context for articulating the potential financial, business and reputational impact of a cyber breach, and making threats real and relevant to your company and your sector.
Q: Cybersecurity is no longer a new risk, however the idea of approaching it with cross-functional engagement and shared departmental responsibility is still fairly new. Is there any guidance you can provide to identify who should be engaged?
A: First and foremost, it is important to emphasize that cybersecurity is an enterprise-wide risk usually involving all your business units, all your operational units, all your employees and all your key third parties. By its nature, it requires a cross-functional approach. Key players would be IT, Security, Legal, Compliance, HR, Operations, Procurement or your supply chain and customer support. Specifically for customer support—if your network is compromised or customer data is compromised, you are going to need a way to communicate to your customers and for your customers to contact your organization. Public relations and communications are also key. Those teams need to be able to articulate the company’s approach to cybersecurity and, should there be a breach, they will be key in helping the company communicate what’s happening and what it is doing to respond to it.
In short, a better question would be, which departments do not need to be involved? The answer to that is none.
Q: What is the biggest new threat currently facing organizations in regard to cybersecurity?
A: There are a number of new threats that come to mind, but there are also a number of threats that are manifesting themselves in new ways. To this point, ransomware is a new variation of an old threat. Stealing information has always been a threat, but now bad actors are holding this information until receiving a ransom, or threating to share the information publicly if a ransom is not received. In some cases, the biggest threat is the complete destruction of information, or just as threatening, the manipulation or corruption of that data—in essence destroying it.
Mobile usage is accentuating threats as well. Individuals are now managing a growing number of devices. A lot of sensitive information is now being managed remotely, with increasing access points. We are using the same mobile phone to change the temperature in our homes, access our corporate networks, or do our online shopping. There are just so many more connection points today to protect—and varying security controls on each access point.
By: Pamela Passman, President and CEO, CREATe Compliance
Latest posts by Ethics &Compliance Matters ™, Navex Global ® (see all)
- Impact of digitized environments & modern workplaces on internal investigations - April 15, 2020
- Whistleblower hotlines decrease the cost & duration of corporate fraud schemes - March 18, 2020
- Entering the era of operational resilience - February 27, 2020