Creating a Culture of Cybersecurity at Work

Security awareness is foundational to creating a culture of cybersecurity. While technologies are evolving to stop advanced attacks, the human element is essential to protecting data in the workplace. Attackers realize that it is easier to gain credentials through social engineering than to crack security defenses. Fostering a culture of cybersecurity focuses on strengthening employees' understanding of security issues and how behavior increases or reduces security risks to the institution.

Employees must understand what is at stake in handling institutional data. They must be aware of the areas of risk before they can be motivated to act more responsibly. Measures like password safety practices, software patching, and avoiding phishing attacks are a few of the activities that correspond to protecting data, preventing theft of intellectual property, and stopping identity theft. Here I will first discuss areas of risk and then suggest ways to lay the foundation for an environment in which employees are aware of how their actions affect risk.

Identifying Areas of Risk

A risk assessment can identify your top areas of risk, but the higher education landscape brings its own challenges, including:

• A bring-your-own-device (BYOD) environment
• Faculty travel to foreign states
• Use of unencrypted communications (like instant messaging)
• Storage of institutional data on personal devices
• Nonstandard computer configurations
• Use of software not adequately vetted by the security office

It is important to assess your institution's security environment before taking steps to improve it. A risk assessment can be done in-house or through a security assessment contractor to determine what risky behaviors workers routinely exhibit.

Getting the Message Out

Like any enterprise, affiliates in higher ed focus on their individual goals, and rightly so — faculty on teaching and research, administrators on the health and development of the institution, and staff on supporting students, faculty, and staff in the university's mission. It can be difficult to break through the attention barrier and make employees understand that practicing cybersecurity is not antithetical to their goals but integral to them. How important is it to researchers that their intellectual property remains confidential? What is the dollar amount of the damage to development if the university experiences a breach of confidential donor information? What is the university's exposure if Social Security or protected health information is leaked? Who are the responsible parties, and do they understand the true personal risk for these types of breaches?

Data breaches represent a significant potential monetary loss to an institution.¹ According to a 2013 study published by the Ponemon Institute, data breaches in higher education cost colleges an average of $111 per record. The 2015 Ponemon study states that "in education the average cost could be as high as $300" per record.² Multiply either of these figures by the number of records the average employee touches daily, and it's easy to see that the cost of a breach can quickly escalate. An article in the Chronicle of Higher Education reports that costs related to data security lapses dating to 2011 at the Maricopa Community College District in Arizona could reach $17 million.³

The potential dollar value of a breach must be made clear to all constituents and should be top of mind with this audience when making decisions around software selection and implementation, business practices, and data storage.

Strategies

The following strategies can be adopted in the workplace environment to help create a culture of cybersecurity.

Make Yourself Available

Whether you are a CISO or whether security is just one of many hats that you wear, don't be a faceless entity that colleagues know only through e-mail messages. Go to your customers — don't make them come to you. Adopt an open door policy and encourage your team to do the same. You might impart more security information in one face-to-face lunch than with hours of online training. Encourage volunteer "security reviews" in which you or your staff give non-binding recommendations to departments after visiting their environment. These reviews can highlight potential security issues without being punitive.

Make It Real

It's key to demonstrate to employees how much of a financial incentive there is for hackers to infiltrate your system. In 2014 the Center for Strategic and International Studies estimated the annual global cost of cybercrime at $445 billion annually.⁴  The upside profit potential for criminals is virtually limitless, and risks are relatively low because legal systems have not kept pace with the rapid development of technology. For every hacker convicted and punished, many more make a comfortable living stealing credentials and selling them online. What's more, a criminal organization may be based in a foreign country, where jurisdiction makes it invulnerable to local law enforcement. What's the dollar value of an employee's password or mobile device to a cyber criminal? Members of your organization must understand the "street value" of the data they handle.

Make It a Team Effort

Many different business interests within an organization have a stake in cybersecurity: law enforcement, general counsel, emergency management, risk management, compliance, and others. Identify your partners and demonstrate to fellow stakeholders that partnering to embed and promote good information security habits is mutually beneficial.

Make Their Business Your Priority

Departments are more likely follow security guidelines that don't get in the way of the business at hand. Make it IT's priority to fully understand business processes and academic needs. Work to integrate security measures with those processes.

Make It Safe to Ask Questions

Be open to "newbie" questions, even from seasoned employees. People want to practice safe computing but are often unsure where to begin when new technologies are introduced. Often they don't understand which activities correspond to reducing which risks. Make it easy for employees to get security-related questions answered, and be sure to give solutions that are free of jargon and acronyms. Give them a clear path as to who can provide answers, and tailor your responses to the individual, no matter how basic the question might seem.

Make It Personal

Most of your employees using computers at work have similar devices at home. The security concepts used in the workplace are applicable to their home environment. Show them how they can use concepts implemented in the workplace to protect their personal data and create a safer computing environment at home. This technique is even more valuable in a higher ed environment.

Make It Transparent

Be very clear with your privacy policy. IT's security interest is in protecting the network and business assets, not spying on or gathering information about employees for nefarious purposes. Be open about what kind of data is collected and stored. Employees must understand this in order to develop a level of trust with the organization and to have confidence that their privacy is not being violated.

Make It Easy to Come Clean

Everyone makes mistakes. Employees must feel confident enough to come forward with security vulnerabilities with the assurance that they'll get support and solutions rather than finger pointing and blame.

Make It Plain

Most importantly, make it clear exactly what safe computing entails in your organization. What specific actions do you expect employees/departments to take regarding password safety, data storage, antivirus protection, encryption, the use of VPNs, two-factor authentication, and other components of your information security defense? Put these steps, clearly defined and easy to access, on your website or Internet portal.

Relationships and Culture

Any culture changes shape and evolves over time, and influencing employee behavior is a formidable task. The principles outlined, along with the relationships you build along the way, will nurture the security culture that already exists in your organization.

Notes

1. Verizon, "2015 Data Breach Investigations Report" (April 2015), 29, forecasts the average loss for a breach of 1,000 records to be between $52,000 and $87,000.
2. Ponemon Institute, "2015 Cost of Data Breach Study: Global Analysis" (May 2015), 2.
3. Megan O'Neil, "Data Breaches Put a Dent in Colleges' Finances as well as Reputations," Chronicle of Higher Education, March 17, 2014.
4. Two news stories reported on the study from the Center for Strategic and International Studies: Ellen Nakashima and Andrea Peterson, "Report: Cybercrime and espionage costs $445 billion annually," Washington Post, June 9, 2014: "A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income. The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm." Also, Paul Sandle, "Cyber crime costs global economy $445 billion a year: report," Reuters, June 9, 2014: "Cyber crime costs the global economy about $445 billion every year, with the damage to business from the theft of intellectual property exceeding the $160 billion loss to individuals from hacking, according to research published on Monday."

---

Hunter Ely is currently the chief information security and policy officer at Tulane University, covering all schools and campuses within the Tulane University umbrella. He holds CISSP, CFCE, GCIA, and CRISC certifications. Ely is a graduate of Louisiana State University with 15 years higher education and healthcare information technology experience and over seven years of information security specialty. Ely also heads Tulane Technology Services' policy development. He manages the full lifecycle of policy development, collaboration, and implementation efforts for the department. Additionally, he heads the department's incident response team, both investigating and preventing security incidents across all Tulane campuses.