Cybersecurity: a Cultural Imperative for your Organization

May 2, 2023

Living in today’s digital age, with all of its exciting technological advances and innovations, also means we live in a constantly evolving state of persistent cyberthreats.  A 2022 survey by PricewaterhouseCoopers (PwC) revealed that U.S. executives consider cyberattacks the number one business risk their companies face. And according to the FBI Internet Crime Complaint Center’s annual report released just last month, the total potential loss from cyberattacks in 2022 surpassed $10.2 billion.

Senior executives and board members are becoming acutely aware of the “when, not if” reality, as well as the significant financial, legal, regulatory and reputational consequences of cyberattacks. They also recognize that cybersecurity can no longer be compartmentalized as the sole responsibility of their CISOs or IT departments. The goal of malicious actors is to infiltrate your organization where it is most vulnerable, which is almost never your IT department. A combined organization-wide effort is required to help protect your and your customers’ data from malicious attacks.

Security protection, cybersecurityCybersecurity is indeed everyone’s responsibility

With the hyper-acceleration of digital transformation, including cloud migrations and transitions to remote or hybrid workforces, most organizations are already heavily investing in cybersecurity processes, policies and supporting technology stacks – including security information event monitoring (SIEM), managed endpoint detection and response (MEDR) and network access controls (NAC) solutions to bolster their cyber defenses.

Many companies are adopting a Zero Trust Architecture (Zero Trust) framework or security model that is currently a cybersecurity best practice. In fact, according to Statista, 80% of organizations surveyed have adopted Zero Trust or are in the process of adopting it. Zero Trust removes implicit trust, assumes all users, applications and infrastructure can be compromised, and mitigates risk threats with security controls that enable safe and secure use of data at all times in all places.

Foundational to a Zero Trust approach is enabling a workforce of cyber-conscious employees at all levels and across all functions in your organization to help mitigate risks as part of your comprehensive cybersecurity plan. While this may require a cultural mindset shift to drive appropriate behaviors, it need not be thought of nor positioned as independent of your existing organizational culture.

Instead, your cybersecurity strategy should be aligned with your business strategy and core values which everyone should be aware of, experiencing or engaged in while conducting their day-to-day business activities. If you think about the strategic importance your organization places on all of your business imperatives around being digital-first, customer-centric and market leaders with values like trust, respect and integrity, you will find a cybersecurity narrative for each of them just waiting to be included.

As with all cultural-defining initiatives, it starts at the top with executive leadership communicating, modeling, encouraging and recognizing best practice behaviors which lead to desired outcomes for all stakeholders (employees, customers, prospects, partners, etc.) who engage with your brand. And it takes the collective collaboration and expertise of all humans in all functions (IT, security, HR, communications, marketing, sales, customer support, legal, compliance, etc.) to be successful and sustained.

The human factor

One small human mistake or oversight can be devastating to your business, and they are happening much more often than you think. The 2020 Psychology of Human Error study by Stanford University Professor Jeff Hancock and security firm Tessian found that nearly 50% of employees stated they are “very” or “pretty” certain they have made an error at work that could have led to security issues for their company. The top reasons for clicking on phishing emails are the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%). Additionally:

Give employees what they need to do their part

In addition to embedding the cybersecurity aspect into regular communication cascades, use empathetic and emotionally intellectual instructors who can speak in real-world terms to train your employees on effective cybersecurity practices via interactive in-person, virtual and on-demand videos conducted throughout the year.

Simulations, scenario role-playing and gamification have all proven to be very adept at keeping employees engaged and informed, and their experiences are much more fun, positive and memorable. Partner with people managers to provide them with guides that include functionally relevant talking points to further customize the training to what their teams do every day and specific actions they can take to mitigate risks and manage incidents.

The most common types of cyberattacks that all employees should be aware of and trained on include:

  • Malware: The umbrella term used for all types of malicious software (viruses, ransomware and spyware) used to gain access to a computer network, system or device through identified weaknesses.
  • Phishing/social engineering: The most widespread and disruptive malware attack, phishing is a fraudulent message delivered via email, text or social media that appears to come from a legitimate source. It tricks a target into either providing personal information that can lead to exploitation or encourages them to click on a link or attachment that takes them to fake websites to obtain sensitive information or secretly downloads the malware onto their device. These scams are becoming more sophisticated and difficult to spot, particularly due to the game-changing natural processing tools driven by artificial intelligence (AI) technology.
  • Ransomware: Most ransomware attacks begin with a phishing email where the user has taken the bait and the malware encrypts company files and systems so they cannot be used or accessed. Threat actors will then force the company to pay a ransom (usually in the form of cryptocurrency, which is harder to track) to unlock or regain access to their own data.
  • Password/brute force/credential theft: The undetected act of stealing a user’s ID and weak password by automated guesswork or trickery to gain access to secure accounts, networks and systems. Bad actors can be extremely patient and lurk around your network for several months until they find the information they need to do their nefarious deeds.
  • Distributed denial-of-service (DDoS): DDoS attacks involve the use of malicious software that overwhelms a target network or device with illegitimate internet traffic (from computer networks or IoT devices) in order to stop legitimate traffic from reaching its destination. Telltale signs include unnatural surges or requests to a single webpage or endpoint, suspicious amounts of traffic originating from a single IP address or odd spikes in traffic patterns.

And illustrate the practical things they can do to proactively mitigate and escalate potential risks including how to:

  • Use multifactor authentication (MFA) to add an extra layer of security to the authentication process through a unique SMS code or biometric checks (fingerprint or facial recognition scans) to verify a user’s identity beyond their username and password.
  • Use strong passwords that are unique, regularly changed and at least 15 characters in length and complexity (a mix of upper and lower case letters, numbers and symbols). Share a list of commonly used passwords that have been blacklisted and why. A password manager can be a user’s best friend to comply with this important practice.
  • Turn on automatic software updates and patches that address known vulnerabilities to keep operating systems up-to-date on their desktop computers and all of their devices, including mobile phones, tablets and laptops.
  • Adopt a “stop, look, think and ask before clicking” approach to all suspicious emails, texts and social media messages that could be a phishing scam described above. When in doubt, they should refrain from clicking and check any suspicions out with the IT security team. If they turn out to be illegitimate, make sure they are immediately deleted. They should also be familiar with all the details of your incident response plan.
  • Engage in regular user access reviews that are conducted to identify and remove unnecessary or excessive access rights that can be exploited by cybercriminals.
  • Develop and implement a robust Incident Response Plan that will enable the organization to quickly react to a cyber event. The plan should cover identification and analysis of the event, containment, remediation, recovery and post incident activity. Testing should be conducted at least annually with varied scenarios, from ransomware to insider threats.

Make cybersecurity an integral part of your organizational culture 

Network boundaries have changed, and our world is rapidly moving towards systems of distributed networks. While there is no “silver bullet” that can guarantee any business is 100% protected, being intentional about embedding cybersecurity into your organizational culture with learning approaches that improve learning retention will make a significant difference in helping all employees to effectively manage security risks and reduce data breaches.

There are few things more powerful in this regard than a risk-conscious, security aware and well-trained workforce of human firewalls who are super-equipped to be ready, willing and able to take the cybersecurity journey along with your organization.

Learn about Konica Minolta’s cybersecurity services here.

Mark Barsky
Virtual Chief Information Security Officer (vCISO)

Mark Barsky is a cybersecurity expert on Konica Minolta’s Security and Compliance team, acting as a Virtual Chief Information Security Officer (vCISO) and consultant for a number of community and enterprise banks, FinTechs and Financial Advisors. Mark joined Konica Minolta’s IT Services Division from J.P. Morgan Chase, where as Vice President of Tax Operations Oversight he led enterprise-wide programs and projects focusing on regulatory compliance and operational risk management, process improvement, development of risk metrics and policy revisions. Mark holds a Masters of Business Administration from Fordham University and a Bachelor of Science in Economics from Bentley University. He is also a CMMC Registered Practitioner.