Pratum Blog

Rowing Team working together for a common goal.

In the early 1980’s Ford Motor Company’s slogan was “Quality is Job 1”. That mentality was born from Ford’s President, Philip Caldwell, who believed the only way to compete in the automotive industry was to stop pushing out large quantities and focus on the quality.

That change made a big impact. The slogan lasted 17 years and helped make Ford one of the top auto makers in the world. The reason that initiative worked for Ford wasn’t just because it was a catchy phrase. It's because the mentality behind it was embraced by every level of the company. From janitors to the CEO, everyone believed in the message.

For your company to have a successful cybersecurity program, you also need the whole team to get on board!

Why Does Company-Wide Cybersecurity Matter?

According to the Verizon Data Breach Report in 2019, one-third of breaches had a social engineering component. Meaning, the people inside the company, and sometimes outside, are a big part of the problem. Without education or training, employees may open dangerous emails, allow a stranger into the building, or give away private information on the phone. Hackers have become savvier and increasingly rely on exploiting human behavior. That means business leaders and employees need to be constantly adapting with the times, as well.

A significant breach of your company could be detrimental. Not only could it cost the company money, it could also cost people their jobs. That’s why, as business leaders, you need to start the cybersecurity conversation as soon as possible.

It’s More Than Just Training

There’s a difference between training and awareness. Training is the initial education activity. Awareness is an ongoing reminder.

Training is important in cybersecurity because hackers are always evolving, and it’s crucial to stay on top of the latest trends and threats. However, it’s not going to be the most important key to keeping your business safe. What really sticks with people is the connection they feel with the message. Just like Ford, you need all levels of the company to understand and support the mission of cybersecurity.

Take manufacturing plants for example. All plants should have a safety coordinator on staff checking for issues and coming up with incident prevention plans. A company whose leadership believes in that mission, and promotes the health and safety of their employees, will have a lower accident rate!

On the flip side, if a company’s top executives are primarily concerned about profit they will eventually see the effects of that with more dangerous incidents on the job.

Employees need to know the leaders in the company care. They need to see the highest level of executives spreading awareness by continually talking about things like governance policies and avoiding scams. If their boss doesn’t seem interested in cybersecurity, why should the average employee go above and beyond?

Lead by Setting an Example

If you talk the talk, you better be ready to walk the walk. Business leaders should have the same set of guidelines as the rest of the company when it comes to cybersecurity. If an executive opens a phishing email and compromises company data, they should face the same repercussions anyone else would.

That brings up another point many businesses fail to address. There need to be set consequences for not following cybersecurity protocol. These rules should be discussed openly, and not following them should be taken just as seriously as safety or money violations. Leaving your company vulnerable to a data breach is the same as leaving a cash drawer open in public. People at all levels can compromise the company’s security and they should all be held accountable by the same standards.

Cybersecurity is a Culture Issue

For people to care about cybersecurity, they need to feel a personal connection. If you can show them how their actions impact their own livelihood and their peers’, they may feel more convicted. Try to create a personal connection to the value of cybersecurity.

A good example to share with employees is someone who has access to their personal data. If you know a business or medical provider has your sensitive information stored in their system, don’t you hope the employees there are protecting it? Like public health, cybersecurity is just as much for the employee’s protection as it is for the communities’ safety. Everyone should try their best to keep data protected; whether it’s their own, a colleagues’, or a stranger.

You can't force people to care. Employees must buy into the importance of the mission for it to sink in and work. As a leader in the company, you need to make it a core value everyone appreciates.

One Size Won’t Fit All

Trying to decide how often to do cybersecurity training, or when to discuss awareness campaigns, really depends on your business. The frequency and delivery vary on the risk to your organization, job duties of each employee, and the technology the employees use. There are so many factors to consider, which is why it’s best to analyze your own situation thoroughly before starting cybersecurity initiatives without much thought. It’s all about determining risk and addressing those concerns through a prioritized approach.

There also needs to be follow through. Don’t just slap on some policies and forget them. Cybersecurity needs to be continually evaluated and at the heart of what you do every day. It needs to be just as important as the rest of your business to become a part of the culture. Without people buying into the message and mission, you will always be at a higher risk of a cyber-attack.

(References: https://www.autonews.com/article/20160629/RETAIL03/160629819/robert-cox-ad-man-behind-ford-s-quality-is-job-1-pitch-dies
https://enterprise.verizon.com/resources/reports/dbir/)
Iranian Cyberattack on United States

If you’ve been following recent news, concerns over retaliation from Iran are on the rise after a recent bombing in the country by the U.S. military. After that airstrike, Iran vowed “severe revenge” in response. The political situation is now raising concerns for all citizens regarding their cybersecurity.

Just last week, the Cybersecurity and Infrastructure Security Agency (CISA) Director sent out a Tweet, alerting people to an increased risk potential.

CISA Director Tweet about Iran Cyber Attacks

This warning from the Department of Homeland Security is due to a heightened threat of cyberattacks from Iran. Over the summer there was a rise in malicious cyber activity. Now, recent reports show that is yet again a concern. While your cybersecurity firm or IT department should be monitoring any suspicious activity, there are other ways you can protect yourself and your business.

Action Steps:

1. Raise awareness within your organization.
The best thing you can do to protect your assets is to make sure those who have access to them are diligent. Re-emphasize cybersecurity training. Put notices on walls, such as educational security posters. Make sure everyone is familiar and reminded of current cybersecurity initiatives.

2. Review your permitted and successful traffic on a regular basis.
Taking inventory of your traffic should be a regular practice, but it is even more crucial right now. Continually check any new or unusual activity. Be extra aware of what is happening within your network.

3. Respond to suspicious activity quickly!
If you do notice something that seems suspicious, or even just a little strange, investigate it immediately. Use the adage, “see something, say something.” Contact your cybersecurity representative for more instruction.

4. Have backups in place.
These hackers will not be interested in negotiating for your business’s information. According to former military personnel, once they have it, Iranian hackers are going to keep what they find. Continually update your backup system.

5. Don’t assume you’re immune to an attack.
One of the biggest misconceptions people have is that they wouldn’t be a target of these cyber attacks. That’s simply not true. No matter the size or industry of your organization, there is a potential threat.

The threat of a cyber attack is not to be taken lightly. In 2017 an attack against Ukraine, which officials blamed on Russia, was able to target government ministries, banks and companies across the country. The White House called it “the most destructive and costly cyber attack in history.”

While Iran’s cyber capabilities are said to rank below Russia’s, they have been able to attack Saudi governmental and private-sector networks. With the increased tensions between the U.S. and Iran, it is believed a cyber attack is imminent.

Here at Pratum we are remaining vigilant to ensure our clients’ information is protected. For more details on the services we offer, contact a Pratum representative today.

(References: https://twitter.com/CISAKrebs/status/1212959127003111424 https://www.washingtonpost.com/technology/2020/01/03/cyber-attack-should-be-expected-us-strike-iranian-leader-sparks-fears-major-digital-disruption/)
Information Security Policies, Procedures, and Standards

Information security Policies, Standards, and Procedures typically fall to the bottom of many companies’ to-do lists. While these documents may seem tedious, the effort you put into the creation and maintenance of them will pay off in the long run!

What They Are

First, let’s break down what each of these governance documents are, and how to take care of them.

Information Policies – The “What”
Policies are the high-level statements that communicate a company’s objectives. This is typically the philosophy of solving security problems that may arise. Here you will find out what the organization’s objectives are, and how they are designed to protect the company’s assets.

Information Standards – The “How Often/Much”
Policies and Standards are similar but do differ in some very important ways. Standards go more in-depth and elaborate on the Policies. Who will be involved in implementing the Standards? What are the specific responsibilities of the associated departments? Who does the Standard pertain to? Who owns the individual Standard? Specific requirements are laid out here for a comprehensive look at how each control area fits into the overall information security program. Standards are what most compliance requirements and frameworks ask for.

Information Procedures – The “How”
Procedures are the step-by-step instructions for fulfilling the Policies and Standards. For every control area your Policy covers, there needs to be corresponding sections for how the company will carry out that Policy. Procedures take Policies and Standards and creates tangible action steps. In these procedures, the business should call out specific employees and technologies that are used to carry out each procedure.

Why You Need Them

Now that we’re on the same page about what these governing documents are, let’s explore why they’re important for your business!

Establishes Continuity
Showing your employees exactly what is expected of them is crucial. Without a clear vision set, there will inevitably be questions. Creating a universal guide for everyone to see and understand will unify the team in times of crisis or confusion.

Allows Easy Enforcement
Without implementing a governance program Executives will have no way to enforce the practices they want employees to follow. If these expectations are laid out clearly in easy to find Policies, Standards, and Procedures there will be proof to hold people accountable for not abiding by them.

Creates a Security Culture
Usually if an Executive is involved in the creation of Policies, Standards, and Procedures they’re more likely to understand what’s happening when problems arise. That makes it easier for IT professionals, and other employees, to communicate and understand what is important to the Executives. (Many companies will ask employees to sign a document saying they are aware of the Policies, Standards and Procedures and agree to comply with all security controls and directives.)

How to Get Started!

1. Figure Out Your Needs
What an organization’s size or niche is will mandate what their governance documents should be. If you have a large business with several employees, you may need a more detailed plan. If you have a small organization with people who do a little of everything, you should consider what guidelines to put in place to enable employees to effectively perform their job duties in a secure manner.

2. Build an Action Plan
Next, address how to get the governance program in place. Talk with your IT operations team to make sure they are in compliance with the program you are trying to build. If not, find out what resources and tools they need to achieve the organization’s security goals. Open communication is key!

3. Maintain and Update
Last, once you have your Policies, Standards, and Procedures in place, the work is not finished. Maintaining and updating your documents is just as important as the initial creation process. Times change, and so should your security governance. Be sure to do annual reviews of all these important documents to proactively evaluate the security controls related to the confidentiality, integrity, and availability of your business’ sensitive information.

If you need help creating and maintaining policies, standards, and procedures, Pratum can help. Contact us today.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.