Every month, we offer tips to keep yourself secure in a technological world. Because this edition of Business Insider has a technology theme, you are probably expecting a recommendation on the latest firewall software or a review of some new security app for your smartphone. Instead, it is time for a reality check.
New-product developers often get very excited about advertising security. They plaster terms like 256-bit AES encryption all over the packaging, but the average consumer has no idea what that means. They see the visual metaphors like locks or impenetrable walls, along with the word secure, and feel confident about their purchases.
Being secure means a lot more than buying the latest technology. These products are valuable tools, but without the ability to use those tools, they do nothing to guarantee security. If anything, people are more vulnerable when they mistakenly believe they are in a protected environment; they let their guard down due to a false sense of safety and are more likely to become victims. This is not the environment we want for businesses.
True security must be cultivated as a mindset and manifested through behavior. This is especially important for businesses, because if security is not taken seriously, it will not exist. Even if half of your employees have complex 12-digit passwords, the people who just dont care the ones with cat or 1234 as their passwords will be the ones compromised. If just one employee is a security risk, the business itself is at risk.
The goal is simple: Make everybody care. No matter what your security policies and procedures are, if they arent taken seriously they may as well be blank. Business owners need to take a more-active role in cultivating the right kind of attitude among employees. Security needs to be addressed in real terms. When an average employee hears mandatory security compliance, the employee immediately dismisses the information as a useless formality. On the other hand, when that same employee is presented with the legal and financial aftermath of losing client credit-card information, the issue suddenly becomes tangible. If the danger isnt real, the safeguards will not be real.
Only education can properly create this culture of security in the workplace. Security awareness training is essential, but it needs to be presented in a manner that the employees can truly connect with. Companies need to educate and train their employees in a way they can understand. The threats must be real, and the employees must feel strongly about preventing those threats from ever occurring while holding each other accountable for the integrity of the business.
Many businesses forget that physical security is part of information security, and this can only be fixed through the right attitude. It doesnt matter how secure your firewall is if you leave the door to your office wide open with your computer powered on. Employees need to be aware of their surroundings, including the presence of unauthorized people poking around where they shouldn't be. They also need to know how to react in the case of a bad situation, and this is where policies and procedures come into play.
Security is not a product. It is a collection of attitudes and behaviors, and it can only be obtained through education and training.
Neal Custer, President of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc. Adjunct professor at Boise State University. Email: firstname.lastname@example.org. Written in collaboration with Reveal information security expert Dylan Evans.