Is Culture the Secret to Better Data Security?

According to a report by CNBC, the average American company loses $3.6 million every year to data breaches. Considering plenty of companies don’t have annual data breaches, that should help you understand how costly this problem really is. It’s vital to protect any business from cyber attacks, but there’s a component to this problem that you might be overlooking.

That same report highlighted that the leading cause of data breaches is related to employee behavior. This isn’t because you have secret spies and traitors working for you. Simple oversight and risky, passive behavior is frequently exploited by malicious entities to steal your data. No amount of security software can overcome an employee who takes work home and doesn’t secure it. So, how do you overcome the issue?

Ad Hoc Security Isn’t Enough

There are two typical responses to learning about internal threats to cybersecurity. The first is to invest heavily into security controls that prevent employee mistakes. Systems are locked down tight, and active controls are used to try and minimize risk everywhere. While this can have a positive impact, it doesn’t always work so well. Often, such security measures kill efficiency for every kind of work. Employees get frustrated with the lack of control and trust, and many will find ways to circumvent the security measures just to get their jobs done. It’s not impossible for this kind of increased security to actually make risks worse.

The other major response is to invest in massive security retraining. Every single employee is put through a program to explain risky behaviors and why they matter. This too can get decent results, but if you have enough employees or give them enough time, risk will emerge. People make mistakes. More importantly, retraining tends to have a shelf life. Eventually, some people revert to bad habits and risk is revisited.

Shifting the Culture

What can be started with retraining is maintained with a culture shift. If the philosophy of workplace culture can help with retention and motivation, why can’t it be applied to cybersecurity? When best practices for security are built into the workplace culture, you get a positive feedback loop that helps foster good behavior and keep risk at a minimum. Nothing can fully eliminate security risks, but a culture shift is an excellent way to cut into the $3.6 million average that no one wants to be paying.

One aspect of a security-based culture change is to foster relationships between IT and the rest of the staff. Even if all of your IT/security is outsourced, there are ways to increase face time and communication between groups. That may require a financial investment, but when there’s a personal connection between the security team and everyone else, it’s easier to trust their advice and make an effort to help the cause.

On the flip side, a top-down culture shift can also lead to big improvements in overall data security. When security is a core component of growth and development, you naturally steer around risks that plague too many businesses. This is getting into the concept of DevSecOps. Essentially, you want development, security and operations to work more cohesively. Any project should have representation from all three groups. As an example, you might want to develop or overhaul a smartphone app for your business. Instead of throwing the project to an app developer, intentionally put a member of the cybersecurity team and operations team on the development team. It helps maintain a balanced outlook from the beginning and tends to lead to more secure and functional app development.

Culture change is never easy. It takes sincere, long-term commitment from the top to the bottom of the entire organization. But, when it works, it can lead to lasting changes that improve the workplace for everyone. At a very minimum, it’s worth considering a security-focused culture change to try and save your business from losing millions to data breaches.