In this day and age, companies great and small are vulnerable to potential attacks that they are exposed to every day. From insider threats to simple phishing, one is always left guessing if they know enough to handle them or are well prepared to face the risks. Educating your staff about basic computing hygiene is one thing, but ingraining in them security practices that they do almost naturally, even beyond the confines of the office, is another. The latter involves being part of a culture where people think, act, and behave the same way. And we’re not just talking about an organic culture, but one that was created with intentionality at the core.
Before going further, let’s first find out why it’s important that we create and cultivate an intentional culture of security. We’ll also name a few misconceptions surrounding security culture and attempt to clear up each one.
A culture of security in the workplace had always existed, pre-computing era, although it’s mainly been about physical security. A large area of the office is off-limits to the public, and only those with an access card or proper company identification can go in and out. Not everyone has the key to the HR filing cabinets. And when computers were introduced in the business world, confidential files shared among managers and executives were (and still are) for their eyes only.
Things have changed dramatically since then. Businesses maintain the physical defenses of their assets, but are hard-pressed to stave off threats from the digital realm. There is now a need for organizations to secure their online assets, but criminals have become adept at circumventing basic protections. Regardless of this, the negative perception people have about security—it’s reactionary, it hinders one from conveniently doing their job—persists today. This negativity is a dominant hindrance in further establishing and sustaining a culture of security.
It’s important to have a strong security culture because security is a strategic necessity, whether it’s protecting the data of customers or building relationships and offering services to other business clients. As such, trust is essential. Without sufficient security present in an organization, those doing business with companies would be doubtful and uncertain that their assets are treated with importance and utmost confidentiality as they should. (Note how Equifax stock dropped dramatically after their massive breach was discovered.)
On the other hand, a company with sufficient security has the advantage over competitors that do not have one. When data and assets are protected, trust increases.
Finally, having a security culture in place makes compliance with laws and regulations easier. As regulators start imposing security practices that, frankly, should have been present in companies to begin with, organizations with a security mindset are more receptive to adopting these practices and imbibing them into the current culture.