Looking beyond the fundamental protective tools, we can sum up the key to a successful cybersecurity policy in just one word: people. However, educating and training staff in IT risks involves more than just applying a few basic rules. You also need to develop an internal “cybersecurity culture”.
According to the 2018 Cybersecurity Study by Deloitte, employees are responsible for 63% of internal security incidents. Yet, as shown by ISACA and the CMMI Institute in the 2018 Cybersecurity Culture Report, many organisations rely heavily on technology for their cybersecurity and fail to invest sufficiently in what should be their first line of defence: their workforce.
The need to develop an in-house culture of cybersecurity
Cybercriminals are skilled in identifying the weakest links in a company. Often, they look no further than the personal information shared publicly on social media. An employee’s interests, the birthdays of their children or the name of the family pet can all be used in spear phishing attacks or provide clues for hacking passwords.
“People are the greatest point of vulnerability when it comes to cybersecurity. The breach may be accidental (mistakes, forgetting or failing to respect instructions), or it might result from data compromise (unwittingly enabling malicious intrusion) or premeditation (causing intentional harm for a variety of reasons.),” says Franck Nielacny, Chief Information Officer at Stormshield.
The risk of data compromise, in particular, is increasing. “All companies and all employees can be threat vectors. This is true for mass attacks, as in the case of the WannaCry ransomware in 2017, but also for highly targeted attacks, where they are unwitting players,” warns Stéphane Prévost, Product Marketing Manager at Stormshield.
Corporate cybersecurity: everybody’s business
Even when everybody has understood the need to place people at the core of the corporate cybersecurity policy, you still have to persuade employees that cybersecurity is everybody’s business. To successfully develop a shared in-house cybersecurity culture, five key players need to be involved, according to Franck Nielacny: “management, employee representatives, HR, the head of IT security and the IT director”.
The process is far from simple, for a number of (good) reasons. First, the new security processes are generally viewed by employees as yet another constraint. At the same time, many companies have a siloed organisation that is not necessarily favourable to teamwork. A shared culture cannot develop effectively with only minimal cooperation between departments. As a result, it appears difficult to collect practical real-time feedback on each company’s vulnerabilities and to find a way to address them quickly.
The cybersecurity culture needs to place even greater emphasis on integrating security from an early stage, in the business software development cycle. This is one of the best ways to educate all corporate departments on managing sensitive data! With the GDPR, “Security by Design” has even become a standard, ensuring that the software itself does not itself become the weakest link in the security process. Often, however, it is the lack of qualified in-house staff that hampers efforts to deploy an ongoing information policy on IT risk.
Also, the emergence of a cybersecurity culture can also be hindered by an approach that is too top-down. Getting employees on board requires active involvement from senior management as well as middle management. As a result, the end user and his/her needs must always be the key concern. For cybersecurity to be effective, it needs to become part of everyday practices. At Stormshield, one of the measures put in place to instill a cybersecurity culture involves ‘punishment by pastry’. If an employee leaves their workstation open when they are not at their desk, their email is ‘hacked’ and they have to buy a round of croissants for the whole office. This method has proved to be highly effective.
Implement protective solutions tailored to business use
Bisogna altresì riconoscere che ogni impresa tratta la sicurezza informatica a proprio modo e molte di esse hanno ancora un rapporto distante con la materia. È proprio in questi casi che è oltremodo necessario sensibilizzare gli impiegati. “Un utente relativamente attento può evitare autonomamente molti rischi” ricorda Matthieu Bonenfant, Direttore Marketing di Stormshield, “specialmente perché le minacce sono spesso legate ad impiegati imprudenti e distratti, piuttosto che a collaboratori mossi da cattive intenzioni”.
Secondo Nieclany “al fine di adattare al meglio le misure di sicurezza è essenziale capire in anticipo in che modo i collaboratori si avvalgono degli strumenti disponibili e come trattano i dati critici”. Uno dei problemi da non sottovalutare è la “shadow IT” (o “infrastruttura ombra”), ovvero la propensione degli impiegati ad utilizzare nuove applicazioni per uso professionale senza prima interpellare il dipartimento IT. Un altro requisito chiave è quello di assicurarsi “che tutte le procedure di sicurezza siano armoniosamente integrate nei processi lavorativi di ogni reparto”, aggiunge il Chief Information Officer di Stormshield.
Non da ultimo bisogna considerare il lavoro flessibile: “Nell’era dello smart working, degli oggetti connessi e dei sistemi ERP esternalizzati, il perimetro di sicurezza interno non ha più senso di essere. Le aziende possono rinforzare le proprie misure di sicurezza ricorrendo, ad esempio, ad una migliore segmentazione del flusso di dati. Quest’ultima, concepita secondo il principio « zero trust network», permette di confinare una minaccia evitando che si diffonda”, conclude Nielacny.