Consider these facts:
- Ninety-five percent of security breaches are caused by human error.
- Forty-two percent of those human-error-caused breaches are the result of the end user failing to follow policies and procedures.
- Twenty-six percent of breaches are the result of the IT staff’s failure to follow policies and procedures.
- Only 25 percent of company directors are actively involved in reviewing security and privacy risks.
No matter what type of business you are running, whatever the size, whatever the industry, cybersecurity failures can be catastrophic. They can damage your reputation, lead to high levels of employee dissatisfaction and morale issues, and legal problems resulting in often huge fines.
Fortunately, there are examples out there of how to successfully ward off security threats—and one of the best examples is actually the U.S. military. According to a recent article in the Harvard Business Review, “Cybersecurity’s Human Factor: Lessons from the Pentagon, “From September 2014 to June 2015 alone, [the U.S. military] repelled more than 30 million known malicious attacks at the boundaries of its networks.”
It turns out we can all take a page or two from the military’s success at staving off cybersecurity attacks. Here’s how:
Eliminate “sins of commission.”
Take a lesson from the U.S. military’s operation of naval submarines. Running an underwater nuclear submarine requires that every person be performing at the top of their game at all times. Sins of commission, or deliberate variations from protocol, can’t happen. Mistakes are chances to address and correct errors, but intentionally breaking from standards should not be tolerated.
Likewise, your organization needs to treat security with military-grade seriousness, and everyone on your team must understand that absolute integrity when it comes to security guidelines and protocols is of the utmost importance.
Build in monitoring and drills.
Advanced AV is an InfoComm CAVSP Diamond Certified firm made up of dedicated personnel who take great care in delivering results for clients. Headquartered in West Chester, Pennsylvania, Advanced AV has evolved with the advancement of technology into a specialized integrator of professional audiovisual systems for business, education, government, and worship facilities, serving the mid-Atlantic region of the U.S. Advanced AV and its sister companies, Advanced Staging Productions rental and MC3 creative services.
According to the authors of the HBR article, “In the nuclear navy, operators are rigorously trained before they ever put their hands on a real propulsion plant and are closely supervised until they’re proficient. Thereafter, they undergo periodic monitoring, hundreds of hours of additional training, and drills and testing.”
Leadership at your company should be responsible for ongoing monitoring. That means your systems themselves need to be audited, but these audits should also include the people who use your systems. How is the cybersecurity training at all levels of your organization?
And remember, while your IT team should absolutely be undergoing ongoing cybersecurity training, don’t forget, any person who uses your system could leave you vulnerable. Every single point of contact should be considered, and every staff member from the production floor to the C-suite, should be included in security training.
Encourage a questioning attitude in your culture.
This may sound surprising, because everyone knows chain of command is important in the military, but the reality when it comes to security is that everyone at every level is encouraged to ask questions. “Does this system make sense?” “Is this report indicating something that could be a problem?”
People in your organization need to know that they should listen to their own internal alarm bells, and they should be praised when they raise red flags. Additionally, everyone should be encouraged to double and triple check that procedures are followed.
When CEOs and CIOs Are Part of the Problem
The costs of failing to create a culture vigilant against cybersecurity threats can be huge. A 2014 study by the Ponemon Institute found that annually, the average cost of cybercrime suffered by a sampling of companies in the U.S. was $12.7 million. Even in industries without the resources to suffer such losses, consider the time lost resolving issues.
Surveys have found that C-suite leaders—including CEOs and CIOs—have a tendency to rate concern about cybersecurity lower than their managers outside of the C-site do. That’s a leadership problem. But fortunately, it’s not insurmountable, and with active participation in security initiatives, and a clear understanding of the potential for problems, it’s a leadership problem that can be fixed.