The recent data breach involving Experian should serve as a reminder that cybersecurity is something that everybody in a company should be mindful of.
We say that, but it’s quite easy to fall into the trap of anything that parses a one or a zero to be IT’s domain. But cybercriminals are a crafty bunch and they realise that the best vulnerability in a company is the soft squishy human in front of a keyboard.
While Experian hasn’t revealed in detail how a fraudster was able to successfully pretend to be a director of a known firm in order to get access to data, it’s clear to us that a process wasn’t followed or worse, wasn’t in place to begin with.
So how does a company address this?
“It is critical that organisations create a culture of security in order to combat this increasingly hostile security environment. A successful security culture is driven by leadership, the human resources (HR) department, internal marketing and communication and ongoing security training. Truly agile and capable security is a people project, not a technology one,” says senior vice president of content strategy at KnowBe4 Africa, Anna Collard.
A good security strategy, according to Collard, hinges on three layers:
Technology is comprised of the hardware and software solutions employed to mitigate cyber risks. Policy is what allows the technology to function and the people, well they need to apply the policy to the technology in a way that mitigates risk.
As you can tell, the technology and policy can’t function properly without people using it effectively.
“This is why HR has to be involved with security,” says Collard.
“It is fundamental to changing behaviour within the organisation and helping to build a culture that recognises the importance and value of security. It is, of course, also the disciplinary arm that enforces policy and that ensures there are consequences when people continue to break the rules or fall for phishing scams or perpetually do the wrong things,” says the SVP.
Something else that should be instilled into the company is that security breaches have consequences, and yes, that includes the C-Suite.
Of course, the company should make it clear what consequences there are for security breaches as well as provide training so that breaches are avoided.
“Security training has to be iterated and repeated constantly to ensure that people are always kept aware of its importance and any changes in attack vector or threat. Only by keeping security top of mind, all the time, can an organisation truly embed a culture that’s capable of staying secure and alert,” says Collard.
With the Protection of Personal Information Act coming into play and the full weight of that legislation being in effect from June 2021, it’s imperative that companies start taking cybersecurity seriously.[Image – CC 0 Pixabay]