{"id":13654,"date":"2018-10-23T11:00:03","date_gmt":"2018-10-23T19:00:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/10\/23\/news-7421\/"},"modified":"2018-10-23T11:00:03","modified_gmt":"2018-10-23T19:00:03","slug":"news-7421","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/10\/23\/news-7421\/","title":{"rendered":"How to Create a Security Culture"},"content":{"rendered":"

Credit to Author: Jay Abdallah| Date: Mon, 22 Oct 2018 21:22:48 +0000<\/strong><\/p>\n

\"\" <\/p>\n

With ever increasing media coverage of cybersecurity attacks, the awareness of cybersecurity is expanding. This important subject is something everyone is talking about in manufacturing facilities across the globe.<\/p>\n

With an increased level of awareness, creating a security program and building a culture within an organization around security, much like safety, go hand in hand.<\/p>\n

The posture of security must be injected into everything within the organization.\u00a0 Everyone must be involved, from Human Resources (HR) to Finance; Engineering teams, and even some of the unsung players such as Facilities must be involved.\u00a0 And like any important initiative within an organization, it is critical to have executive support.<\/p>\n

Executive leadership and HR should consistently support training programs for employees.\u00a0\u00a0 Employee training should happen regularly so the messages of the importance of an ongoing security lifecycle comes through loud and clear \u2013 and often.<\/p>\n

Even though cybersecurity is a combination of people, processes and technologies, we have to step back and look at some of the more basic things like – what are we doing about physical access? Do our people really know about physical access security? How can we add new levels to guard against social engineering? How do we test to see if our employees are listening?<\/p>\n

Consistent Message<\/strong><\/p>\n

Yes, we initially talk about education and awareness, but we need a more prescriptive approach that starts with executive sponsorship of the cybersecurity program and filters through with consistent education.\u00a0 Much like training, written mandatory polices must filter down from executive leadership, to HR, then to upper management, middle management, and so on.\u00a0 If you stay consistent in delivering the security message, it just becomes embedded into the organization\u2019s culture.<\/p>\n

One case in point – when someone leaves a keyboard unlocked, other employees who notice this should remind the person of that \u201cinsecure\u201d behavior.\u00a0 Just like when someone sees an unsafe practice on the plant floor. \u00a0Or, when someone swipes in to the building in the morning and two or three people piggyback in with them; someone should stop them and ask for their badges.<\/p>\n

Creating a security culture not only comes from training and education, but also everyday practice. In some industries, like critical infrastructure, manufacturing, transportation, telecommunications, finance, hospitals, healthcare, and oil and gas, the security culture is good; not great, but it is getting better. \u00a0However, in many small or medium size business operations, it needs a lot of work.<\/p>\n

I came across a situation once where someone I know suffered a ransomware attack on his company\u2019s database. In troubleshooting the incident, I realized that recovery was a useless effort because the ransomware impacted the main database as well as their back up databases, operations, finance, payroll, and HR data.\u00a0 Even further, it also impacted the local police department. They had not created an environment where everyone was thinking about security; one thing led to another, which cascaded into a cybersecurity nightmare for the company.<\/p>\n

Creating a stronger Cybersecurity culture starts with people and it takes consistent effort and time.\u00a0 Here are some elements of a healthy cybersecurity culture:<\/p>\n

    \n
  1. Executive support \u2013 This is actual support, not just talking about it. It means that company leadership are committed to cybersecurity by assigning budgets, creating specific organizational roles, and openly communicating their support and demonstrating their commitment through actions.<\/li>\n
  2. Policies and Procedures \u2013 Typically involving Human Resources, good companies have documented clear policies and best practices for employees regarding cybersecurity. The \u201cDos and Don\u2019ts\u201d about everything from physical security to the use of USB keys.<\/li>\n
  3. Training \u2013 it\u2019s not enough to have a policy manual sitting on a shelf, companies should integrate employee training and awareness programs. These could use videos, classroom training, web-based or other forms.\u00a0 But a key point is that this training should match the job function and needs to be refreshed at least annually.\u00a0 And employee participation should be tracked to ensure that the content is reaching the employees.<\/li>\n
  4. Testing \u2013 This is not product testing \u2013 it\u2019s \u201cpeople testing\u201d, or measuring employee engagement. Companies that are serious about creating a cybersecurity culture will perform internal phishing exercises and other internal tests.\u00a0 Monitoring employee engagement to see who is \u201cgetting\u201d the message is used to track and improve training and engagement.\u00a0 Awards, penalties, and other recognition can help get people engaged, even in a fun way.<\/li>\n
  5. Communication \u2013 Cybersecurity should consistently be part of the company conversation.\u00a0 Through internal newsletters, posters, stories and other recognition, a healthy culture will evolve.<\/li>\n<\/ol>\n

    People are the first, and most important line of cybersecurity defense.\u00a0 Getting everyone on board and understanding their role will not only mitigate risk, it can help new ideas evolve without fear and contribute to company growth and strength.<\/p>\n

    Visit the Cybersecurity Virtual Academy Resource Library<\/a> for more articles, videos and webinars on this topic including an article by Gary Williams on \u201cDefense starts with Employees\u201d.<\/p>\n

     <\/p>\n

    The post How to Create a Security Culture<\/a> appeared first on Schneider Electric Blog<\/a>.<\/p>\n

    http:\/\/blog.schneider-electric.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Credit to Author: Jay Abdallah| Date: Mon, 22 Oct 2018 21:22:48 +0000<\/strong><\/p>\n

    With ever increasing media coverage of cybersecurity attacks, the awareness of cybersecurity is expanding. This important subject is something everyone is talking about in manufacturing facilities across the globe. With… Read more »<\/a><\/p>\n

    The post How to Create a Security Culture<\/a> appeared first on Schneider Electric Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[12389,12388],"tags":[12608,17880,19938,12665,18422,12554,12508,12734],"class_list":["post-13654","post","type-post","status-publish","format-standard","hentry","category-scadaics","category-schneider","tag-cyber-security","tag-cybersecurity-academy","tag-cybersecurity-defense","tag-cybersecurity-knowledge","tag-cybersecurity-lifecycle","tag-industrial-cybersecurity","tag-machine-and-process-management","tag-security-culture"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13654","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13654"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13654\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13654"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}