When someone says that a business needs to have a security culture, it can be a challenge to understand what that is, but it is quite simple. A business must be security aware and that means everyone not just the IT department. Without a security culture many staff/management will ignore, complain about, and even bypass the technical security controls that get in their way.
A security culture starts from the highest level of management as they are the ones that are going to be setting the examples and providing the guidelines and policies that the rest of the business will be following. If senior management doesn’t have a security culture it is going to be extremely difficult to have it within a business.
If IT is trying to assist with developing a security culture it might help a bit, but it is still going to be a challenge without senior management buy in. IT can assist with the implementation of security training, such as awareness training but if senior management isn’t taking it themselves and setting guidelines about it, it doesn’t help the security culture within the company.
One of the biggest things that needs to be done is for senior management to develop polices that are enforceable with regards to the various security things that an individual needs to do to make sure that they are being secure when they are using company assets or even within the company property. These policies also need to be followed by the senior management otherwise they aren’t going to work.
So many senior managers think they are doing the right thing themselves, but so often they are proven that they are not aware that what they are doing is putting themselves and the business at risk. Seniors manage may have some security awareness, but given the speed of how the world is changing, they need to keep up with it. It is amazing how often we have heard that someone has left their laptop in their car, in their garage and they think it’s safe, but it really isn’t because garages can be broken into and devices that are in the car could be stolen. We have also been told that all laptop users turn off their laptops each night only to see that they just close the laptop and take it from location to location, is it locked, maybe not. The other thing with laptops is why are they sitting in the office overnight, turned on and logged on and not secured as this is another security risk.
Senior management needs to set guidelines and policies that are enforcement so that employees understand that there is a cost for not following the policies. At first, it can be a warning of violating the policy, the second time could be some unpaid time away from the office and then depending on the policy that is being violated it could result in being terminated.
Overall, security is about having the people within the business that will support and follow the various policies and guidelines. For security to work well, it is only as secure as the weakest user and everyone needs to understand that.
No comments:
Post a Comment