There is no work-life balance in cybersecurity — part II
From board meetings to daily tasks, who owns cybersecurity risk for the company?
This article is the second of a series of three through my journey to understand how people and companies are dealing with cybersecurity. In the first one, I raised attention to the number of actions we perform online and how blurry the boundaries of digital trust can be.
Part I — Where are the boundaries of trust?
Part III — 3 steps to engage employees in cyber hygiene
If everybody is responsible, nobody is accountable
Many times when I reach companies to understand how they are dealing with the cybersecurity of their employees a ping pong of responsibilities starts. I talk with the CEO and as fast as the word “cyber” is mentioned, the name of the CIO comes into the conversation. “We have this person taking care of our systems, you should talk to him/her.” Right, then the Chief Information Officer is inquired about how they are managing cybersecurity. This time the word “security” comes to his attention — “We are pretty well, our security tools are in order.” I explain that I would like to discuss how they are ensuring employees are following best practices, such as awareness and training. “Sure, we have periodic training. But this part is with HR.”. I don’t need to mention that when the Human Resource manager listens to the word “cyber” something like comes “It is better to involve the IT person in the meeting”…
Awareness is not about IT
Companies have to manage their data and workforce. As we struggle to manage our personal and professional credentials (as happened with my LinkedIn account), businesses hold this challenge to not only control access and rights but also ensure that every individual is aware of the digital threats involving their jobs. But before discussing the balance between security and convenience, it could help understand better how different business units can cooperate with the solution. Why should CMOs, CFOs or even HR be engaged in cybersecurity awareness? Because no one else understands better the needs of their own units. If an attacker reaches a customer service pretending to be a valid customer to gain privileged information, the chief marketing officer would have to explain later what happened. If procurement follows an internal urgent request to pay a fraudulent invoice, why the chief financial officer would care about it? Who ensures that the recruiter doesn’t open that email attachment that looked like a resume?
Making it personal
Cybersecurity awareness for individuals only works after the understanding of where each one stands in this tension between efficiency and risk. We can blame the responsibility for security breaches to third parties, but the consequences affect us directly. Enforcing a password change because of a policy rule it just makes people take the minimal effort to keep their access. It would be more effective to show them that their credentials were exposed in a data breach and many of their accounts could be vulnerable. Current attacks against businesses and individuals rely on failure to follow good cyber hygiene practices.
For the last article, I will share 3 steps to engage employees in cyber hygiene. From personal motivation, awareness-raising to checking their digital assets.
