Forming a culture of security

If the ‘bad guys’ can hack into the federal government, Home Depot and Target, what hope do small businesses have?

It seems we can’t go more than 24 hours without hearing about the latest, greatest data breach that affects millions. Recently, of course, we had the federal government’s Office of Personnel Management breach – exposing 30 years and at least 10 million current and former government employees’ personal data.

Breaches like this tend to inspire panic and despair in small and medium businesses. After all, if the “bad guys” can hack into the federal government, Home Depot and Target, what hope do small and medium-sized businesses have? Naturally, most small- and medium-sized businesses have neither the technical nor financial wherewithal to fight a sustained battle against full-time hackers with nefarious intent.

However, defeatism is not an option. We’ve got to reframe the conversation – rather than looking down despondently and itemizing all of the things that we can’t do, let’s talk about some of the things that we can do.

First, let’s agree that small businesses do indeed have advantages over larger businesses. Their size makes them inherently more nimble, and the cultural impact of leadership can be immense and immediate. 

Leadership in organizations with under 300 employees can have a lasting impact on the company’s culture of security, but the message needs clarity, urgency and authenticity to resonate with staff. Paying lip service to security is transparent and counter-productive. Frankly, if the CEO and his/her direct reports don’t believe that security really matters, any sustainable security program is dead on arrival anyway.

Getting non-technical executives to understand and buy in to a security culture requires framing the conversation in the context of the brand and the potential brand damage from a breach.

Executives know that their brand has value, and a security breach degrades that value with concrete financial implications. Given the inherently limited resources in smaller businesses, an ounce of prevention is worth a pound of cure. We, as business and technology leaders, need to help the executive team connect the value of their brand with the specific "ounce of prevention" that lays the foundation of a security culture. 

If the C-suite buys in on creating and maintaining a culture of security, the immediate next steps are clear:

• Write and enforce an acceptable use policy: All employees need to understand the ground rules for using company computers. Are they allowed to use Facebook? Can they access personal e-mail while on the network? The acceptable use agreement spells out what is and isn’t permissible, and speaks to consequences for non-compliance with the policy.

The policy should be updated annually, and all employees must review and acknowledge the policy upon modification. Most importantly – these rules apply to all employees – including the C-suite. If the C-suite doesn't think the rules apply to them, any attempts to instill a lasting security culture won't work. 

• Document and comply with your own internal information security policy: What steps has your organization taken to maintain and enhance your security posture? How are you protecting your customer and employee data? The information security policy is the document that sets your internal standard for security – for example, it might say that “all employees receive security training twice per year.”

It's then up to leadership to ensure the policy is complied with. Simply going through the exercise of creating this policy will force your organization to pose, and answer, tough questions. 

• Train your people. Repeat. Repeat again: It’s well-documented that the least expensive tactic to improve security is to train your staff. Given the sophistication of spear-phishing these days, users are often tricked into letting “the bad guys” into your network by clicking on a hyper-link in an e-mail. 

Has your organization conducted formal security training with the staff? Did you repeat it, institutionalize it, and embed it in your culture?

• Adopt a layered security approach: No single technology can provide adequate security for your entire network and all your data. Speak to knowledgeable resources to understand your current tools and how they might be improved. It starts with culture, but tools, technologies, and expertise matter, too.

These are simply the tactics to get the ball rolling. Sustainable change will only come with lasting commitment, but cultural norms tend to take hold rapidly with repeated emphasis and support from senior leadership. Small- and medium-sized businesses should take advantage of their naturally nimble size to drive the security message home and create a company culture of security. 

Adam Victor, director of operations at Systems Engineering, can be reached 603-226-0300​ or through

Categories: Business Advice