Our vulnerability is more evident across the board than decades before. In recent years, it has only affected the “others”. Now it affects us all. The solution lies within human beings. As it usually does. Even an effective culture for enterprise-wide cyber security cannot be created with technology alone.
Vulnerability – conscious and unconscious
In Territory Cyber, a single employee clicking on a phishing e-mail is enough to allow an attacker to gain access to the systems. In both private and professional environments. The most precious resource – the so-called crown jewel – is at risk within a very short time.
This action, resulting in the entry into the environment of critical data, can lead to its damage or loss – depending on the modus operandi used by the Social Engineers.
The WannaCry case study with data encryption or the pattern of crashing critical infrastructure when the monitoring of nuclear radiation in Ukraine was switched off by the Petra attack may still be remembered by some.
Human risk factor in cyber territory
One of the most difficult aspects to control in terms of security is the insider threat posed by human behavior. In my daily work with our clients, I see time and again how great the potential for clarification is. The phantom of the foreign attacker is omnipresent, but not the fact that well over 60% of cybercriminals belong to the so-called Critical Information Technology Insiders (KITI). This fact is successfully suppressed. As before. Within the framework of our sensitization measures, those responsible succeed in making this knowledge efficiently accessible to all employees. To protect the “crown jewels”.
Cyber culture as a preventive measure
An effective cyber security culture within an organization controls employee behavior to minimize these risks. A culture of cybersecurity underlies the way business is conducted – embodied in the Code of Conduct, other policies and even “unwritten rules” that employees practice in the performance of their duties and responsibilities.
“A single employee error is enough to destroy the entire company.”
The destruction of our crown jewels (data) as well as our reputation are at risk – every day – and we want to protect people. However, we as human beings still all too often take on the role of the “weakest link”. This can and must change!
The most effective prevention for minimizing cyber risks are correctly identified and implemented measures, tailored to the individual company and its crown jewels. This includes first and foremost the right culture in the cyber territory.
Corporate Cyber Culture – a success factor
Enterprise-wide cyber security requires far more than just the latest technology. It requires every single employee to create a culture and thus minimize the risks in the cyber territory. The greatest impact, and therefore also responsibility, lies with the role models. The executive floor is challenged. Including the boards of directors and supervisory boards. They are assigned several essential roles. The success of a company-wide cyber culture depends to a large extent on the extent to which those in positions of responsibility become involved in the issue.
Corporate culture 4.0
According to Ed Schein’s definition in his model, corporate culture consists of the following three pillars:
– belief system
– Value system
– Behavior*
*described by Ed Schein as artifacts, creations and the art, technology and visible/audible behavior patterns as well as myths, heroes, language, rituals and ceremonies.
Based on the three pillars mentioned above, managers have a special responsibility to establish, shape and align these three pillars with the strategy and goals.
Practical solutions are required. Especially in the area of cyber security, a strategically professional combination of technology and human behavior is required. The degree of maturity of this Corporate Cyber Culture is expandable in many of the companies that I accompany.
It is a pleasure to see how, together with the people in charge and their employees, we get to grips with the system of beliefs and values and analyze the resulting behavior. A very creative process that reveals new facets in dealing with risks, cyber and security to all those involved.
Where would you place the maturity level of your company in terms of “Corporate Cyber Culture”?
Yours
Sonja Stirnimann
