Digital Media Security Against Corporate Cybersecurity Culture
Currently, we live in the era of digital transformation, where the logic of business and, above all, information has migrated to digital media, which implies a greater challenge for organizations to protect their data. This is the ‘new normal’, not even the almighty giants like Google, Facebook, Apple, Microsoft, Intel and other Silicon Valley organizations can 100% prevent attempts of cybercriminals to extract data, by hook, or by crook. With the tendency of organizations to migrate information to the cloud and allow access to it from anywhere, the challenge is greater but not impossible and lies mainly in an extrinsic component of technology: the security culture.
Implementing a safety culture within an organization is a process that involves the entire organizational structure from the top management as well as the collaborators in general, and begins with awareness about the vulnerability that information may suffer either from experts in computer attacks – hackers – or even by people who are around us in a close social environment. To implement an adequate safety culture, it is necessary to consider the subject from a global point of view, that is to say, that the management is involved and applies the pillars of security from the point of view of corporate governance, in this way a framework of reference and policies within the organization. This combined with the essential ingredient of setting an example in terms of prevention and good practices, leverages the success of these initiatives and, above all, that the safety culture is aligned with the business processes.
Once the seed of this safety culture germinates in the business strategy, the key point that must be taken into account is the training and awareness of the staff. The recommendation is to generate periodic training activities where employees feel they have a responsibility with the information of the organization and most of all that they are aware before the consequences of the actions they take. In the context of training initiatives, basic and key environments must be taken into account, such as password management, secure browsing, identification of malicious emails phishing and, above all, evangelizing the culture through a do-it-yourself philosophy.
Within the recommendations to deepen the safety culture and establish a baseline to avoid leakage of information, the following recommendations can be made:
- Inventory of information: organizations must determine the information they are handling. The cataloging of the data in a structured way, will define its importance and will determine a prevention strategy to avoid its flight.
- Information backup: within the organization’s business continuity plan, backup copies of the information must be made, both to recover it in case of failure and to prevent a possible attacker from accessing it.
- Strategy against incidents: it is a good corporate practice to have a committee that develops an incident response plan. Its function will guarantee the processes of the case to respond to a security breach or information leakage. The recommendation is that within this strategy, agile guidelines are created to efficiently respond to personnel in the face of a computer breach.
- Use a framework of information security reference: depending on the business, it is recommended to have a frame of reference following current regulations in the information security industry or at least follow its guidelines.
- Implement protection and authentication mechanisms: within the organization, the security culture on cutting edge technology must be leveraged to protect the organization’s information and ensure safe access to employees.
Although, until now, the corporate environment has been addressed, it should not be ignored that the basis of security culture and, therefore, to avoid the leakage of information in an organization, is personal responsibility. Wearing safety habits is crucial; Actions such as blocking the computer each time the workstation is abandoned, periodically changing the passwords and, most of all, not disclosing them, as well as using only the corporate tools of the organization, and being careful with what is published, both of oneself Like other people in the work context, it is vital. In addition, it must be safeguarded not to violate confidentiality agreements, employment contracts and other agreements that are handled in the labor context.
With the social and mobile concept of current work, another area that needs to be covered is also the use of personal telephones to perform work tasks. In this context, both from the personal point of view care should be taken regarding the corporate information that is handled in these devices. And from the point of view of organizations, the security policies that are implemented must take into account this aspect, which in most medium organizations is a grey area. To conclude, ensuring that the organization is armored or at least protected against computer attacks and security breaches is an equation between culture, processes and technology.