How to Create a Positive Information Security Culture for Your Workplace

What are the most significant security risks facing your organization? Your answer might include common external threats, such as brute force attacks, phishing attacks, ransomware, supply chain attacks, and attacks against vulnerable software, among many others. But the focus on external security risks misses an important point: External attacks often exploit vulnerabilities created by poor internal security controls and practices.  

According to the 2021 Verizon Data Breach Incident Report, 85% of breaches involve a human element. Brute force attacks succeed when employees use easy-to-guess passwords. Phishing attacks succeed when employees click on malicious links in emails from unverified sources. These risks can be mitigated when your organization integrates information security practices into all elements of its organizational culture. 

An organization with a dedicated information security culture aims to mitigate internal risks by giving employees the knowledge, support, and motivation to follow information security policies and procedures. 

What is Security Culture?

Culture is the norms, values, and attitudes shared by a group. These factors matter because they influence behavior—people act according to their beliefs and incentives. A security culture is one in which norms and values are aligned with information security policies and best practices. 

In more concrete terms, that means:

  • Employees understand the security threats relevant to their role and what they can do to mitigate risk. 
  • They feel supported and encouraged to report security threats and vulnerabilities. 
  • They believe the business prioritizes security relative to other values, such as efficiency. 
  • They feel encouraged to help colleagues and employees they manage to be more secure. 
  • Security is a significant component of business communication, onboarding, and training. 

A security culture encourages employees to make information security part of their day-to-day activities and rewards them for doing so. 

How to Foster a Positive Security Culture in Your Organization

A positive security culture doesn’t arise organically; businesses must make a proactive effort to foster a security culture within their organization. Let’s consider four ways your company can begin to lay the foundations of a positive security culture today. 

1. Create Simple, Transparent Information Security Policies

Information security policies and the procedures built on them are the foundation of an effective security culture. But it’s not enough to write security policies. They must also be communicated to employees, enforced within the organization, and supported by organizational structures. 

For example,  there is little benefit to implementing a vulnerability reporting policy if: 

  • Employees don’t know who to report to.
  • There is no system in place to act on reports.
  • Employees receive negative feedback for reporting.
  • Security policies and procedures are too technical for employees to understand. 

A thriving security culture is a holistic endeavor where employees and managers work together to implement security policies. Policies only support a security culture if they are accessible, achievable, and endorsed by leaders at all levels of the organization. 

2. Empower Employees with Security Awareness Training

Without training, many employees—especially those in non-technical roles—lack awareness of security threats and the knowledge required to mitigate risk. Lack of security awareness is the root cause of many security incidents. Around half of all security breaches are the result of employee error

To take just one example, 61% of breaches used authentication credentials that were shared, leaked, or otherwise exposed to the attacker. Security awareness training can significantly reduce this and many other security risks by helping employees to understand the threat and their role in mitigating risk. 

3. Make Information Security a Company Priority

If information security isn’t a priority for managers, it won’t be a priority for employees. Many of the biggest security breaches of recent years were caused, at least in part, by a company’s unwillingness to focus on and invest in security. 

There is a short-term cost to improving security, which some companies would prefer to avoid. However, security breaches cost businesses an average of $4.24 million. The long-term costs of a major security breach far outweigh the cost of an ongoing investment in fostering a positive security culture. 

4. Reward Employees for Contributing to a Positive Security Culture

Effective security cultures are based on positive reinforcement that encourages employees to follow security best practices. People are more willing to devote time and effort when they are rewarded for doing the right thing than when they are punished for making mistakes. 

There are many ways a company can reward secure behavior. Security awareness experts at the SANS Institute recommend public recognition. Use security-related communications such as newsletters to praise employees for reporting vulnerabilities and following security best practices. Managers can implement the same incentives by highlighting security issues and praising employees for improving security throughout the organization.  

KirkpatrickPrice Helps Businesses to Achieve a Positive Security Culture

KirkpatrickPrice offers information security services to help businesses improve their security culture, including:

We also offer a comprehensive range of security compliance audits for SOC 2, PCI DSS, HIPAA, FISMA, and more. To learn how KirkpatrickPrice can help your business to strengthen and verify security and compliance, contact our information security specialists.

Staying Secure While Working from Home

When your employees begin working from a remote workplace, there’s a number of new security threats they can face. While you may already have thorough information security policies and procedures implemented in the workplace, these detailed security controls don’t always transfer to remote work. To mitigate vulnerabilities and protect your remote employees from malicious attacks, make sure you’re following these five tips for remote employees and remote workplaces.

5 Work from Home Security Tips

  1. Provide training on security and technology – The first secure work from home practice is to train your employees on security protocols, technology use, and basic communication tools. Include instructions on securing WiFi routers, using MFA, deploying a VPN, and any other relevant security processes in your training. You should also encourage or require your employees to complete training that is specific to work from home environments. KirkpatrickPrice provides Security Awareness Training that can provide you with the tools to equip your remote employees with secure, up-to-date practices.
  2. Reset default passwords and implement MFA – Default passwords on home routers, passwords that don’t meet industry best practice guidelines, and insecure storage of passwords are major security threats. By performing a password audit and implementing MFA for all devices, you’re increasing the security of the information your remote employees store.
  3. Backup data on the cloud – The beauty of the cloud is its ability to provide a space for remote employees to regularly back up their work in secure ways. Automatic backups can be initiated so that you don’t have to rely on employees to initiate the backup process in their remote workplace on their own. Don’t forget to focus on cloud security best practices to ensure the data you’re storing in the cloud isn’t vulnerable to threats.
  4. Update all software and patch vulnerabilities regularly – The latest antivirus, firewall, web filtering, and encryption updates need to be implemented regularly to ensure your remote employees’ devices and applications are secure. The same guidelines should be followed for a remote workplace as are written in your company-wide security policy regarding the schedule of software updates and patch management. Keep your eye out for vulnerabilities in the new tools you’re using.  For example, with so many new users on Zoom, it’s lucky that security researchers discovered an unpatched Zoom bug that could lead to UNC path injection.
  5. Engage in penetration testing to assess your remote securityPenetration testing is beneficial to your organization because it gives you the opportunity to find gaps in your network, applications, and code before an attacker does. For remote work, IT staff will often opt for quick solutions rather than the most secure. Penetration testing can check their work and help you ensure your remote employees are operating securely.

Policies You Need to Implement for a Secure Remote Workplace

With the increase of remote workplaces comes a number of policies that need to be updated to encourage productivity, security, and efficiency. The information security policy that you’ve developed for your company should be adjusted to fit the needs of your remote employees, although there needs to be a deeper focus on remote security. Take a look at this list of relevant policies you should develop for remote employees:

  • Equipment Access Policy
  • Physical Security Policy (Remote Office)
  • Acceptable Use Policy
  • Password Protocols
  • Remote Access Policy
  • Network Security Policy
  • Hours of Availability Policy
  • Response Rate/Communication Policy
  • Confidentiality Policy
  • Encryption Policy

If you need help developing a set of information security policies to address issues you may find in a remote workplace and other helpful work from home procedures, KirkpatrickPrice is here to help. Our information security experts are available to discuss your organizational needs and help you develop policies and procedures that will help keep you secure. Contact us, today, to learn more.

More Resources

Are Your Remote Employees Working Securely?

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

15 Must-Have Information Security Policies

5 Security Awareness Training Tools You Need

Security awareness is important. That’s not a new concept to anyone in IT or even employees who have had to complete some level of security awareness training. But, how can you ensure your security awareness training program is meeting industry standards? How can you get the most of out the training your employees complete? In a time where many people are transitioning to remote workplaces and work from home setups, how can you conduct security awareness training for remote employees? Let’s talk about the tools you need and how they can give your organization the upper hand it needs to combat security threats.

Why Security Awareness Training is Important

Shred-It’s 2019 Data Protection Report claims 47% of c-suite executives who reported a breach cited human error, employees, or insiders as the main cause. The realization that nearly half of these reported breaches were caused simply by error on the part of employees should encourage all organizations to implement effective security awareness training – especially with the looming threats that come with remote workplaces.

Additionally, to comply with PCI, SOC 2, HIPAA, and other regulations, security awareness training is required. The training you conduct should touch on topics like a clean desk policy, BYOD policy, data management, removable media, safe internet tips, physical security controls, phishing, social network threats, password security, social engineering, and malware.

5 Accessible Security Awareness Training Tools

You know you need to implement quality security awareness training, but how can your employees complete the training? Luckily, there are a number of great online resources you can use to ensure a high level of training. Without the need to have a physical training, you can conduct the annual online training for your remote employees conveniently. We’ve put together a list of 5 accessible security awareness tools you can use to conduct your own security training.

  1. Inspired eLearning: KirkpatrickPrice uses the capabilities of Inspired eLearning’s Cybersecurity Awareness Training to train our own employees, but also to help our clients. When you share a desire to engage in security awareness training with KirkpatrickPrice, you can expect us to utilize this thorough and effective online tool.
  2. SafeTitan: SafeTitan Security Awareness Training provides behaviour-driven security awareness training based on the specific behaviors of each individual employee. The tool provides an extensive library of training courses, videos, and quizzes to suit your learning style. Testing takes only 10 minutes ensuring employee productivity.
  3. Proofpoint: The interactive tools Proofpoint’s Security Awareness Training uses in its program allow for hands-on training that should prepare your employees to recognize various common security attacks.
  4. Enterprise Integration: EI’s Security Awareness Training is personalized to meet your training needs, whether you’re a small institute or a large company. This training tool could be the resource your organizational needs.
  5. KnowBe4: KnowBe4’s ASAP tool is an automated security awareness program builder which builds a customized training program for your organization. To develop a program that is built according to your specific requirements, KnowBe4’s tool provides actionable tasks, helpful tips, coursework suggestions, and a management calendar.

The online access to these security training resources makes the task of implementing regular security awareness training simple. While many of your employees are in a work from home atmosphere, now is the perfect time to focus on accessible security awareness training. Make sure your remote employees have the right tools to keep your organization secure.

How KirkpatrickPrice Can Help

KirkpatrickPrice offers various courses that touch on healthcare, privacy, security awareness, PCI, and general security training. These resources provide your organization with valuable tools to conduct thorough security awareness training for all employees, including those in remote workplaces. The value in purchasing these resources through KirkpatrickPrice is that you receive quality training tools from someone you trust. Whether you’re already in the process of completing an audit or just starting your compliance journey, security awareness training is a necessary step. Let us help you as you make sure your employees are up-to-date on security best practices. Contact us, today, to learn more about our security awareness training services.

More Resources

Staying Secure While Working from Home

Reviewing Your Information Security Program for 2020


Reviewing Your Information Security Program for 2020

As organizations assess whether their information security program will overcome the 2020 threat landscape, we often hear a lot of confusion and frustration about frameworks modifying their requirements, the cost of audits rising, the cost of pen tests rising, scopes getting larger, and testing being more difficult. There’s a reason for this – the threats are advancing. Your data and systems need more protection than they did in 2019 or 2018. When pricing, scope, or frequency of testing increases, here’s what we’re really asking you: Don’t you want more protection in 2020 than you had in 2019?

Annual Checklist for Your Information Security Program

What are you going to do about the threats coming in 2020? How are you going to modify your information security and cybersecurity efforts to adapt to new requirements? Here are a few areas to consider as we head into a new year.

Risk Assessment

When was the last time you performed a risk assessment? Do you have your next one scheduled? A formal risk assessment should be conducted every year, and especially after any significant changes in your organization. A risk assessment is a proactive way that organizations can identify and assess organizational risk, getting ahead of the threats for 2020.

Incident Response Plan

IBM reports that when an organization’s incident response team extensively tests their incident response plan, the average organization saves $1.23 million when a data breach does occur. Testing is incredibly crucial to the success of an incident response plan and can be done through tabletop exercises or simulations. Have you tested your incident response plan within the last year?

Business Continuity Plan

Just like incident response plans, business continuity plans must be tested to ensure they actually work. There’s no telling how extreme a disaster will be, so practicing different scenarios on a regular basis should be a top priority each year – especially if you live in areas prone to natural disasters.

Policy Review and Acknowledgement

Because of the amount of policies your organization must have and their importance not only day-to-day but also during an audit, your policies and employee handbook should be reviewed and updated annually. After those updates, you should require employee acknowledgement to ensure that all changes are communicated to your personnel.

Security Awareness Training

It’s hard to admit, but employees are the weakest link when it comes to information security and privacy – no matter what department they are or high they are on the org chart. How will you hold them accountable if you don’t require annual security awareness training? At a minimum, this training should cover what the encounter on a day-to-day basis, like weak passwords, what a phishing email looks like, social engineering examples, and physical security policies.

Security Automation Tools

Organizations that do not utilize automated security tools will experience 95% higher data breach costs than organizations that do, according to IBM. What security automation tools would be a valuable investment for your organization? With all the new technology available to identify and contain an attack, it’s worth a conversation about which tools could be valuable for your organization.

Penetration Testing

Do you need to change what type of pen testing you receive, how frequently you do it, or who performs the testing? Do your compliance obligations require a more-frequent pen testing schedule? Investing in pen testing is one way to show clients, prospects, and competitors that you are willing to take every step necessary to safeguard the data that has been entrusted to you. At KirkpatrickPrice, we offer seven different types of advanced pen tests as well as code review and social engineering.

Information Security or Privacy Audits

Do any of your upcoming deals rely on a SOC 2 report? Have you taken on new clients that require HIPAA compliance from you? Are your competitors going through privacy audits? These are all things to consider as you plan how your information security program needs to adapt. The benefit of using our Online Audit Manager is that it can gauge how much crossover there is between specific audits so you know how much additional effort a second, third, or fourth audit would require from your team.

The global average cost of a data breach in 2019 landed at $3.9 million, usually impacting 25,575 records. In 2020, we expect to see that cost rise just as it has year after year. Do you want to fall victim to financial and reputational damage of new threats, hackers, malicious insiders, and internal weaknesses this year? Performing an annual risk assessment, updating and testing your incident response and business continuity plans, performing policy review, requiring security awareness training, and determining which tools, pen tests, and audits you need will help defend your organization. Let’s work together to create the best information security program for your organization.

More Information Security Resources

How to Hire a CPA Firm for Information Security Audits

What Type of Compliance is Right for You?

Why Bother with an Information Security Program?

When headlines about companies like Capital One, Imperva, Marriott, Target, or Home Depot becoming victims of a data breach are released, we understand why small and medium size businesses start wondering if their efforts put towards an information security audit are worth it. If enterprise-level companies and household names can’t protect themselves, why should startups and smaller companies even try? If they can’t do it, no one else can either, right? Wrong. If your organization tends to align with this dangerous, unproductive line of thinking, then this blog post is for you. The threats you’re up against are real, but you can protect yourself and your clients’ data – you may just need some help establishing an information security program.

You vs. Them

Hackers don’t discriminate based on company size, industry, or location. They’re after sensitive assets like PHI, CHD, passport information, dates of birth, travel reward numbers, and Social Security numbers. The methods they use to go after small, medium, and enterprise-level businesses are different, though.

Hackers cast a wide net to catch small and medium businesses in their areas of weakness. When they can send phishing emails to 100 companies with 100 employees, the odds are good that an untrained, unaware employee will fall for it – even better if it’s an employee who should know better. There are plenty of breaches that happen each day that could have easily been prevented by security testing, employee training, or a basic information security program. How frustrated would you be if one employee clicked on a malicious link and it cost you hundreds of thousands of dollars, when security awareness training could’ve prevented this entire situation?

For enterprise-level businesses, hackers have more to gain, so they can spend more time planning and executing an attack. They can spend months testing their methods and observing vulnerabilities, maybe even collaborating with other hackers. This is something that, unless you have extremely sensitive data, you probably don’t have to worry about. Does that mean you shouldn’t have an information security program? Absolutely not.

Protect Yourself

When a data breach happens, it’s not just your clients who are impacted. Your name is in the headlines, and you’re the one who will pay for it (literally).

Legal Ramifications – New, state-level breach notification, cybersecurity, and privacy laws are consistently passed, with non-compliance resulting in hefty fines. When you ignore these laws or try to find loopholes, there will be legal ramifications to face.

Regulatory Responsibility – If you are subject to a regulatory body, what will happen if they find your organization non-compliant?

Costly ConsequencesAccording to IBM, the average cost of a data breach in the United States is $8.19 million, with 67% of the cost occurring within in the first year, coming from data breach detection and escalation, notification cost, incident response, and lost business. Does this cost outweigh your hesitancy to establish an information security program?

Competitive Disadvantage – If you don’t establish an information security program and have a data breach, your competitors can learn from your mistakes and use your data breach during sales conversations. If you don’t establish an information security program and haven’t been a victim of an attacker yet, your competitors can still have an advantage over you by pursuing information security audits to prove their commitment.

Protect Your Clients

When a client trusts you with their sensitive data and you can’t even provide them with evidence of your commitment to protect that data, do you think they’ll be loyal clients? Is the cost of an audit or information security personnel worth more to you than client data being sold on the dark web? According to Symanetc, here’s what hackers earn after stealing the personal data you are responsible for:

  • Online banking account – 0.5%-10% of value
  • Cloud service account – $5-$10
  • Hacked email accounts (groups of 2,500+) – $1-$15
  • Hotel loyalty from reward program accounts with 100,000 points – $10-20
  • Stolen medical records – $0.10-$35
  • ID or passport – $1-35

When you have no formal information security program in place and no way of showing it even if you do, your clients won’t be satisfied with your service. In some cases, a client legally cannot contract your service without seeing your audit report or policies.

Partner with KirkpatrickPrice

When you have the right partner, information security best practices can be an integral, sustaining part of your business. Audits are hard. We get it. But, they’re the only way to prove your commitment to protecting your clients and protecting yourself. Let’s partner together to define an accurate scope, implement industry best practices, and establish an information security program that will protect you and your clients.

KirkpatrickPrice is an audit firm whose goal is to provide the guidance you need to embark on a successful compliance journey. You don’t have to settle for choosing a partner that conducts an audit and leaves you with unanswered questions and worries, or who holds you to unrealistic expectations. Contact KirkpatrickPrice to get the partner your organization deserves to have on its compliance journey.

More Information Security Resources

Was the Audit Worth It?

Audits are Hard, Period.

When Will It Happen to You? Top Cybersecurity Attacks You Could Face