Developing a compliance culture has never been more important within companies. Organisations such as Equifax and Capital One create media storms when data under their watch is exposed; however, data leaks come in many shapes and all sizes. One of the most damaging is an accidental data leak via an employee. The result of such data exposure can have huge implications for an organisation, as not only is the loss of sensitive data embarrassing and damaging to reputation, but it can also impact your compliance posture and result in heavy fines.
Building a “cyber security compliance culture” can help prevent your company from becoming a compliance statistic; here is how and why.
When Good Insiders go Accidentally Bad
Many sectors are plagued by the simple issue of human-initiated accidents and errors, such as misconfiguration of a database or mis-delivery of a sensitive email. These cyber security events are, unfortunately, all too common, with the Verizon 2021 Data breach Investigations Report finding that 22% of security incidents were due to insiders.
Some insider threats may well be malicious in intent, but those that are accidental can still have a massive impact on a company’s compliance stance – Australian National University being a case in point. A senior member of the university staff accidentally exposed 700 MB of data that included names, addresses, tax file numbers, bank account details, etc. The incident occurred when a successful spear-phishing campaign, targeting dozens of ANU staff emails, resulted in hackers gaining access to the network via a privileged username and password.
Misdirected emails are another common cause of data leaks. Email misdirection or mis-delivery is easily done, with the use of ‘cc’, as opposed to ‘bcc’, being a common way to accidentally share sensitive information. This happened in 2020 to Sonos, when an employee accidentally exposed more than 450 email addresses by adding customer addresses to the cc field instead of bcc when replying to customers’ complaints. The incident was reported to the ICO by an aggrieved customer in the cc list.
An effective way to challenge this behaviour is to make employees aware of the impact of simple accidents or phishing emails on the compliance posture of an organisation. If done well, this engagement with employees on compliance issues will result in a coherent cyber security compliance culture.
How to Build a Cyber Security Compliance Culture
Compliance training requires an understanding of the laws and regulations that affect your organisation. The regulations dovetail with cyber security when it comes to data protection laws such as the UK’s Data Protection Regulation (DPA2018) and the EU’s General Data Protection Regulation (GDPR). Building compliance awareness amongst employees is the route to a cyber security compliance culture.
The use of the word ‘culture’ is important. A culture embraces ideas, customs, and importantly, behaviours. Human behaviour is behind many accidental data breaches, especially those involving phishing. The urge to click is strong in humans as we have been conditioned to use computers in a certain way, both at home and at work. Breaking this down, and replacing it instead with a culture of knowledge and understanding of how cyber security and compliance interact, starts at the top and disperses out across the entire organisation.
5 Steps to Create a Compliance Culture that Embraces Cyber Security:
- Invest in security and compliance: champion and encourage the change needed to raise awareness of compliance expectations. This will require an investment in time, resources, and finances; a board-level commitment to building this culture of compliance is needed.
- Build an engaging program for culture change: a cyber security compliance culture breaks boundaries and ingrained behaviours. Breaking these behaviours must be done in a fun and engaging manner. Use programs of change that actively engage employees and that are designed to be interactive.
- Build understanding and knowledge around compliance: people cannot change or follow a policy if they don’t understand why they are being asked to do something. Teach your employees about the whys and wherefores of compliance requirements. Create a program that defines their role in maintaining data security and compliance.
- Security and compliance are for everyone: building a new compliance culture is a shared experience. Your program must reflect this. All parts of your organisation are equal partners in building your cyber security compliance culture. However, not all parts of the compliance culture are equal, and programs should be tailored for specific departments. For example, HR may require emphasis on mis-delivery of emails, whereas IT may require more focus on misconfiguration of databases and servers. All should be made aware of the requirements of the laws and regulations that fit with your industry and geography.
- Feedback and continued improvement of the culture: regulations change, people forget training, and systems are updated. Building a compliance culture that embraces cyber security and compliance is not a one-off task. The program needs to be regularly updated and delivered. One way that your cyber security and compliance culture can improve is by listening to your employees. This also helps to cement their involvement in building that culture.
Our employees are the ultimate custodians of the data that our organisations generate, share, store, and dispose of. Employees must be aware of the consequences of their actions on the compliance posture of a company and the role they play in maintaining that posture. However, it’s not enough to simply deliver the message!
To change deep-rooted behaviours and beliefs, a compliance culture must be created that reflects the needs of modern cyber security threats and data security regulation requirements; and like all cultural changes, this can only be effective with the buy-in from those impacted by that change.