Companies are largely blind to their own IT security flaws.
Fortunately for companies, their customers and external security people are more vigilant.
Only in about 7% of cases are the company’s own employees discovered an IT security flaw.
In over 50% of cases, it is external security people and IT suppliers, while in 15% of cases it is customers who discover that there has been a breach of IT security. It shows latest Data Breach Report from Verizon.
Thus, a large part of the companies’ cyber preparedness is in the hands of people who do not work in the company, and this worries the IT industry.
“Companies are not good enough to find the security flaws themselves, and are therefore partially blind to the growing cyber threat. This is a huge problem as it makes it easy for cybercriminals to exploit the security holes, ”says Bjarke Alling, chairman of the IT industry’s IT security committee and executive vice president of Liga Aps.
The IT security culture needs to go down to eye level
Companies internally often have a number of formal procedures around IT security, and may also run awareness campaigns a couple of times a year, to increase employees’ focus on IT security.
However, in order to create a real safety culture, it is not always important what is written down in formal documents and procedures. It is much more about creating a basic awareness of the IT security culture in everyone in the company.
“Sometimes it works best if you explain in a relevant and present way what exactly the employees have to do. So it is often a matter of giving the employees a concrete reason and a simple tool, so that it becomes easy for the individual to make a behavior change. ”
For even the most effective firewall is powerless if an employee clicks on a link that closes malicious code into the system. And if there is only one password between the hacker and the company’s critical data, then all the other IT security does not help.
Everyday security heroes must be hailed
Many people probably find it embarrassing to tell if they have clicked on a link, opened a document or responded to an email that turns out to be a hidden cyber attack.
But that is completely wrong, according to the IT industry. It is precisely the people who must be praised if they share their misfortune with the rest of the organization.
“We have to do away with a widespread culture where you think it is embarrassing that you have come to click on the wrong link. If we are to have better IT security, management must also actively praise and highlight those who dare to take the lead. Because they are the heroes of everyday life and should be framed on the director’s table, ”says Bjarke Alling.
At the same time, it should be easy for employees to report things like IT security holes, ransomware trials or CEO fraud so that the information is quickly disseminated to the rest of the organization.
Be prepared when outsiders point out security holes
When such a large part of the security flaws is discovered by external parties, it is also important that you have your processes ready when you draw attention to a security flaw from the outside.
“Unfortunately, we hear about well-meaning citizens or freelance security consultants who make companies aware of an IT security shortcoming, but who are subsequently threatened with fire and flames. We must have changed that so that you are greeted with thanks and a bottle of wine instead of threats of legal action, ”says Bjarke Alling.
The IT industry has therefore developed a code of conduct for IT security breaches, which can help both reviewer and recipient to handle external inquiries about IT security breaches in the right way.
Source: IT-Kanalen by it-kanalen.dk.
*The article has been translated based on the content of IT-Kanalen by it-kanalen.dk. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!