Security is a Culture, Not a Cult

The March/April edition of Claims Magazine contains an article called, “Build a Strong Security Culture to Guard Against Risks”. The article says this, in part:

A security culture supports the objectives and values related to security protecting the data and technology the company uses to do its work while protecting employees, customers, vendors and others. Security culture can be defined as the ideas, customs and social behaviors of a group that influence its security. Having a good security culture means security is embedded in the organization. Clearly, that’s important to provide the broadest level of protection for organizational data and systems.

Making sure you have the right tools and software in place to secure your organization against data breaches, viruses, and ransomware is one thing. Making sure your people have the appropriate mindsets and awareness — and making sure they know how to respond to perceived threats — is another.

“By failing to prepare, you are preparing to fail.” (Benjamin Franklin)

You can prepare your people and your organization by following six steps:

  1. In addition to having the right tools and software in place, make sure your people know to log all suspicious behavior and what steps to take to restore the safety of your environment.
  2. Teach your people that all software can be exploited and that there are bad actors who make their livings by exploiting it.
  3. Understand that simpler is better. The more complex a system or infrastructure is, the more difficult it is to administer and maintain and the easier it is for a hacker to find and exploit vulnerabilities.
  4. Insecure protocols — even if you attempt to conceal them with obscure ports and other tricks — are still insecure. Don’t let your people use them.
  5. Safety first. If your people consider all input as potentially hostile and teach them to verify anything and everything they accept, your people and your infrastructure will remain more secure.
  6. Provide the least amount of administrative access necessary for particular people to perform particular operations.

Does that seem simple? Good. It should. Complexity invites confusion and risk. Simplicity enables clear understandings, confidence and … well … security.

Security is not a cult. But it should be an integral element of your culture.