Creating a Culture of Security
By Lyle Hardy, Global CIO, Teleperformance
The ongoing security breaches that continue to plague retailers, government websites, and online enterprises convey the impression that stopping unauthorized access to sensitive electronic details is a near impossible task.
"The reality is that opportunities likely exist for employees to cheat because IT’s primary focus is always on external threats"
But paradoxically, creating automated systems that detect and prevent unlawful access to servers and data theft is only half of the solution. The other half, which is arguable, is more difficult—yet essential—is developing a culture of security, a structure that says to employees, “Compliance is the responsibility of every employee, every day, without exception. We expect you to be a part of our team, to work toward our clients’ success. It’s to your benefit and ours. And we will accept nothing less.”
Operational security is a much more difficult task, because it involves the vagaries of human behavior, dealing with individuals who possess a multitude of motivations, personalities, and work ethics.
It’s one thing to design an automated system that can quickly detect a denial of service attack on a company’s database. But it’s an even more difficult—yet essential—challenge to set up a system that figures out a spider-web of possible quirks and deceits from within the organization by employees intent on committing fraud, and then shuts down all avenues to their implementation.
“If you want to cheat and steal, you can cheat and steal in any business in the world,” said former Morgan Stanley CEO, John Mack. Speaking recently to Bloomberg TV, Mack pointed out that “you can’t have a list of things you don’t do, and then when employees do them, you don’t punish them.”
To create a viable, secure workplace, “you have to talk about what’s right. You have to set a standard. You need to talk about culture all the time.”
The reality is that opportunities likely exist for employees to cheat because IT’s primary focus is almost always on external threats. While the vast majority of employees are honest and trustworthy, systems and business processes must be put in place to prevent potential dishonest employees from committing fraud. One of the more common fraud risks is related to employees sharing login IDs and passwords; statistics show that employee fraud is most often committed using someone else’s credentials. Employees can even be contacted on Facebook or other social media sites to ask them to reveal personal or otherwise damaging data to third parties in exchange for money.
Using a carrot and stick approach, companies must develop an internal culture in which employees adopt the goals of the corporation as their own and are rewarded for doing so; at the same time, they come to know that if they don’t, they will suffer the consequences.
For B2B companies, the consequences of fraud and data theft are magnified. Not only are consumers at risk, but so is your relationship with your client. Which is why it’s key that your client understand that as a third-party supplier, you can only do your best work if you’re as familiar with their own internal data structures as you are your own. While your clients may be hesitant to reveal too much, you should encourage them to open up and partner with you in conducting a thorough risk assessment of their operations.
At the beginning of your engagement with them, create a detailed mapping of all their processes, system and resource interactions, allowing you to identify critical points that are vulnerable to potential breaches, or ones that could lead to negative impacts from improper access.
By suggesting ways to improve their systems, ideally preventing a breach before it occurs, you’ll be saving the client headaches while preserving your company’s own good name.
Holding employees accountable is practiced in a wide variety of industries. And doing so typically improves outcomes. For example, in the UK, National Health Service hospitals publicly post the number of patients who contract hospital-borne infections in each facility, allowing not only physicians, but patients and their families, to see how risky a particular location is. Consequently, medical caregivers have become more alert to proper sanitary practices. As a result of this and other actions, the UK has seen a dramatic drop in infections, according to Dr. Mark Wilcox, Professor of Medical Microbiology at the University of Leeds.
Provide instructional materials and ongoing training to all new hires, thereby elucidating company security policies and procedures on how best to handle financial transactions, critical information, and fraud, while constantly reinforcing the company’s goals and culture through regular staff discussions.
Post signs in public spaces warning against fraud and its consequences. Run videos in common areas discussing the importance of security and the sensitivity of the data that employees handle. Issue color-coded ID cards that indicate to which areas each employee has access. Allow only permitted items on each employee’s desk. For example, if pens, writing materials, and USB drives are not needed for the employee’s work, make sure that they are not present.
Monitor access to databases and cut off employees the moment they are terminated, change roles, or go on vacation for extended periods of time. While employees may be loathed to “snitch” on each other, make it clear that it’s important for the future health of the company that bad apples are weeded out. Provide an anonymous tip line so that employees can report wrongdoing, and reward employees monetarily as appropriate for cutting down on fraud.
And should an individual be caught cheating or accessing data for nefarious purposes, and sufficient evidence is present to confirm the employee’s misdeeds, make sure that that person is publicly held to account. If someone must be arrested, do so in front of that person’s colleagues, to show that wrongdoers will be punished.
And to react quickly to changes in the security landscape, create a completely-independent security council at the top level of your organization, one that reports to a C-level executive. The council evaluates changing security threats and only the council can authorize procedural security changes.
Luis A. Aguilar, commissioner at the U.S. Securities and Exchange Commission (SEC), said in June 2014, “Boards that choose to ignore, or minimize, the importance of cyber security oversight responsibility, do so at their own peril”. So, while you may not be able to stop all fraud and security breaches, by implementing a culture of honesty and shared values and an understanding of the need to grow the company through best practices, you will minimize the impact of fraud and security breaches while maintaining an important edge on your competitors.
And you’ll also accomplish one important personal goal: the ability to sleep well at night.