Читать книгу The Security Culture Playbook - Perry Carpenter - Страница 22

Your people are the most important element of your cybersecurity program; ignore them at your peril. Technology will only get you so far. So it's time to elevate human-layer defense to the forefront of the conversation. And it's time to deliberately and methodically focus on security culture.

Human knowledge, beliefs, values, behaviors, expectations, and social pressures are involved in everything that matters within your organization:

 Humans decide what technologies to purchase.

 Humans decide what risks to focus on and how to gain visibility into those risks.

 Humans determine the need for new processes.

 Humans review and tweak the settings of business technologies.

 Humans are in charge of running, patching, and maintaining your security technologies.

 Humans design and code the applications you develop in-house.

 Humans review your third-party risk.

 Humans decide how they will respond to something that looks suspicious.

 Humans decide (both consciously and unconsciously) how they will react to the systems and information they interact with each day.

 Everyone you hire, contract, interact with, or sell to is human.

 Everything you design, sell, or develop business from is ultimately in service of humans.

 Everything and everyone in your organization is impacted by the decisions, behaviors, and expectations of other humans.

Your people and your security culture are the heart of your cybersecurity program. In this book, we'll share a number of interesting (and maybe even shocking) insights related to how your security culture will either be a net benefit or a huge liability for your organization. Here's an example.

While evaluating our security culture dataset, Kai's team recently made an interesting discovery. They took a sample of just over 1,100 organizations and nearly 100,000 employees and looked at employee susceptibility to phishing (measured via a simulated phishing test) as it relates to an organization's overall security culture (as measured by our Security Culture Survey) (Eriksen, 2021). There was one obvious correlation, which you are probably already anticipating: Organizations with a “poor” security culture had more employees who opened and interacted with phishing emails in various ways than employees in organizations with a “good” security culture. Yeah, we would expect that. But here's what we didn't expect: Employees of organizations rated as having a “poor” security culture were 52 times more likely to enter credentials as part of a phishing scam than organizations with a “good” security culture.

Let's put that into raw numbers. In organizations with a “good” security culture, one employee out of 1,000 is likely to be tricked into giving away their credentials or entering other sensitive data as part of a phishing scam. But, in organizations with a “poor” security culture, that number jumps to 1 out of 20.

Our data shows that, in organizations with a “poor” security culture, 1 employee out of 20 is likely to be tricked into giving away credentials or entering other sensitive data as part of a phishing scam. That's in stark contrast to organizations with a “good” security culture, where that number is reduced to 1 out of 1,000.

That's just one stat and one way of measuring the benefit of having a good security culture, but it makes the point: Focusing on your security culture is critical to your overall cybersecurity program and critical to the overall risk posture of your organization.