We’re only human, which means the National Cyber Security Alliance cuts us a little slack when it comes to our inability to recall 30 passwords for different personal and professional log-ins, says Russ Schrader, executive vice president of NCSA, a nonprofit dedicated to educating the public about internet safety and security.
But when it comes to cybersecurity, no one gets a hall pass.
Schrader says business leaders need to look no further than the front page of the Wall Street Journal or New York Times to see why everyone in an organization should make cybersecurity a priority. It appears that every week another security breach makes the headlines–from Target to Home Depot–and it’s when companies don’t realize that cybersecurity is a concern for everyone, not just the IT department, that these breaches are more likely to happen.
“Take the Target breach,” says Schrader. “The hackers supposedly accessed information through the HVAC contractor. An HVAC contractor’s main concern is ensuring the heating and cooling system are functional, not cybersecurity. But it’s this type of oversight when breaches occur.”
Matthew Kellam, partner at law firm Laner Muchin, says that everyone in an organization must understand the catastrophic nature of a security breach. He says that while many breaches compromise employee or customer information, there are many types of data that can be accessed.
“If you’re in the food industry, for instance, and your products and ‘secret’ ingredients are critical to your trademark, that information could suddenly be out in the public,” says Kellam. “Hackers could also get their hands on customer lists, which is possibly the most valuable information relating to the business.”
Ken Anderson, vice president and business information security officer at Equifax Workforce Solutions, says that security threats evolve every day and have expanded to impact both businesses and individuals.
“When the Ukrainian power grid was attacked in 2015, it left nearly 3 million people without heat or power in the middle of winter,” he says. “The Yahoo! security breach didn’t just impact its sale to Verizon, it also compromised 3 billion user accounts, including passwords, email addresses, and security questions and answers.
At Equifax Workforce Solutions, Anderson develops relationships with customers to understand and improve their security experience, as well as with the security team, HR and other senior leaders throughout Equifax. This unique position allows him to help the C-suite understand why cybersecurity is everyone’s job and how they can assist security teams both on-site and in their personal lives by practicing proper cybersecurity habits at work and at home.
Jeremy Bergsman, practice leader at professional-services company Gartner, says that over the past five years, he has seen executives take an increased interest in improving security measures. However, he says, 95 percent of all attacks occur because of a failure on a basic level.
“Most breaches happen when people are doing the right thing,” says Bergsman. “Strong anti-malware is in place, systems are configured properly, but one small thing may have been forgotten. It’s that small, basic measure that significantly increases the chances of an attack.”
Bergsman adds that every business decision has an equal or greater risk implication. For example, HR is responsible for purchasing HCM systems, which contain confidential employee and company information. HR leaders must ensure that they make informed purchasing decisions and should speak with chief security officers to help finalize the choices.
From there, says Bergsman, keep it simple.
“Complexity is the enemy of security,” he says. “Everything you do to keep things simple makes the company more secure.”
A simple mnemonic device to remember what’s most important are the three Ps, says NCSA’s Schrader: patches, people and passwords. Ensure all equipment is regularly updated and patched, determine who has access to what (track access and implement password-protection or sleep mode on computers) and change up passwords, he says.
Bergsman cautions that chief security officers and CHROs shouldn’t fall back on once-a-year training or once-a-year password changes as sufficient cybersecurity protocols.
To ensure that security becomes a top-of-mind objective for everyone within a company, he says, there needs to be frequent, informal communications such as newsletters, posters and content on the company intranet. It should also be built into employee goals and onboarding.
Anderson adds that a clean-desk policy–designed to ensure that all sensitive/confidential materials are removed from workspaces and locked away when not in use or when an employee leaves his or her workstation–should be created, while vendors or visitors should be escorted throughout the building and have a badge that’s clearly marked. He also suggests that senior leaders and executives take part in tabletop exercises that simulate fraud or breach activity, which help highlight shared responsibility and the actions everyone would take during a security event.
Though it may sound draconian, other methods for ensuring cybersecurity compliance are rewards and punishments. Bergsman says negative incentives pack a powerful punch and include official reprimands for repeated mistakes up to firing for substantial violations. CHROs will need to determine what measures are appropriate and how best to broadcast them.
“[A negative incentive] is a powerful way of changing behavior. It’s not the fear in employees, but the signaling that the company does care,” says Bergsman. “Seeing tangible evidence that the company does care signals that the company’s money is where its mouth is involving security.”
Just as important, though, are positive incentives, which the experts say don’t have to be expensive.
Anderson says employees are rewarded for being good stewards of security hygiene at Equifax if they follow proper protocol and report suspicious behavior. Good security hygiene can be extended from the work environment to the home environment and can include using a secure browser, updating anti-malware and anti-virus software, not opening emails from unknown senders (or emails that appear “phishy”) and backing up data in the cloud.
Overall, executives looking to be full participants in cybersecurity need to acknowledge that it’s everyone’s job and determine the best practices for getting that message out to all employees.
“At the end of the day, IT departments are certainly responsible for a company’s hardware,” says Schrader. “But HR is responsible for the software–the people using it.”