You have to grow it. The seed is your security policy.

Information security is a key plank, as core to your business as the services and products you deliver, or your financial and corporate management. Having a security policy should be a no brainer – as obvious as having a financial model, or a lock on the front door.

Here are some horrible statistics:

– More than 75% of businesses have had an IT security incident in the last 12 months
– Phishing and other human targeted malware are the fastest growing threat to security worldwide. According to Osterman Research, 1 in every 2 companies report they have had at least 1 ransomware attack in the last 12 months
– Low security awareness among employees is the number one root cause of security breaches
– Only 1 in 3 companies has a documented information security policy
– Less than 50% of companies do regular security awareness training

If you look at these statistics, the disconnect between cause and effect is quite stark:

– We know where the highest risk is – our people.
– We know what the main target is – our people.
– We know what the best defence is – security aware people.

And yet, businesses all over the world are failing to take the obvious steps to put in place real protection:

1. A properly thought out security policy
2. Invest in training our people

Why bother?

Your business success depends on it: Business is all about taking risks – educated and considered risks – to maximise return on investment and business opportunities. If you ignore security, or remain ignorant of the business risks that are inherent in using IT, then your business success is perhaps a lucky dip.

5 Ways You Can Grow A Healthy Security Culture

You can’t buy security, but you can invest in it: not necessarily by buying expensive appliances. Spending more on a firewall won’t improve security in the office. Buying the most expensive anti-malware product won’t keep you safe on the internet. Security tools have value, but the big payoff is by investing in your people, your procedures and practices:

  1. Develop a security conscious culture in your business:
– Make security the business of every staff member
– Talk about security regularly
– Run staff workshops on security

 2. Include security in every decision you make
– Your core business may not be “IT” or “Security” but these two elements are core to how well every business succeeds
– New applications, new office location, new way of communicating with staff, new way to store data and deliver service: all these have IT and security as fundamental requirements
– Include IT in your business planning

 3. Get an assessment – by qualified and experienced security professionals.
– Make sure your IT partner is qualified to give you advice
– Review your IT procedures, infrastructure, vendors and contracts regularly to ensure they are meeting your need

 4. Document your security policy
– Writing it down makes it real
– Involve everyone in the business – everyone has to own security

 5. Get certified
If you have any clients who have security compliance requirements, or you would like to have any clients who have these requirements, get certified so you can prove you can support these standards.

– Get a review to see what you have, what you need, and what are the gaps
– Get help – its tough to do it on your own
– Keep up to date: how long is it since you last had a review? If it was last year, its time to look again
– Have a plan to review and keep up to date – every year

Sources:

ISACA – Advanced Persistent Threat Awareness Study
Osterman Research Cyber Security in Financial Services
PwC CIO, CSO: Global State of Information Security

Contact FooForce for Information and Assistance:

FooForce Managing Director, Frances Russell – CISA CISM CRISC

Frances Russell is an experienced IT Service Provider specialising in provision of core consulting and IT infrastructure management services to Australian businesses. The provision of IS Audit and Risk Assessment is a core competence. Utilising our CISM, CISA and CRISC accredited team and years of experience, we deliver IT risk, security and compliance audit services, strategy, alignment and maturity assessments and planning and advisory services.