In today’s landscape, privacy and security cannot be considered optional - Privacy International, 2020 (link)
Protecting the data and privacy of your users has never been more critical. In light of the many recent large scale breaches, high profile privacy legislation, and growing concerns regarding privacy across the globe, the era of bolting on privacy and security is no longer viable. The burden of privacy not only weighs heavy for companies in highly regulated industries but for businesses of any size that work with user data.
GDPR made organizations privy to the concept of data protection by design and default in Article 25. While the GDPR Article itself is generic, the idea is one that should be made part of any corporate cybersecurity program in 2020. The concept of cybersecurity by default is generally accepted to mean that privacy and security should extend into every aspect of a business — from technology and IT Teams to marketing and sales teams to hiring and training to executive-level board reporting. Cybersecurity should touch everyone in an organization, regardless of the functional group or role. It should be a part of the company culture.
The challenge here is that building a culture of security is an ongoing effort, one that changes with each new law, regulation, and update. Like all things culture, it requires repetition, ideally in different formats and in a spaced, continual manner, to be consistently top of mind for your workforce.
Unfortunately, there are no tools or platforms that assist in building cybersecurity by design and default. Effective cybersecurity practices center on your people, starting with hiring and onboarding. Most companies can get this far, but few continue to promote privacy and educate their employees throughout their tenure. All too often, privacy and security awareness training is delivered at onboarding and then on an annual cadence. This cadence is not frequent enough to promote security hygiene to the level of other cultural values, for example: the customer comes first or radical transparency. These cultural values are present in group chats, company all-hands meetings and board decks. Cybersecurity often is not.
A large part of the challenge is that cybersecurity is difficult to promote. It is not well understood, and there are often few employee examples that exemplify cybersecurity champions. Meaning it’s much easier to call out a salesperson for closing a major deal than it is an engineer for practicing great security hygiene.
Security awareness training is one of the few methods that can continually promote best practices for security hygiene. Practical security awareness training engages employees on a broad spectrum of cybersecurity topics and provides scenarios for employees to learn from. These scenarios give a safe situation where an employee needs to make decisions about cybersecurity. It creates an internal dialogue about cybersecurity.
Checking the box on privacy and security awareness training speaks volumes to your employees. Baking cybersecurity into the culture of your company takes more than just checking the box, more than just annual training. It takes action by providing tools and content that instill confidence in employees that they can help maintain privacy for your customers and users.
To learn more about how Haekka can help you promote cybersecurity across your entire company, and make cybersecurity by design and default a part of your culture, send us an email or subscribe to updates on our product launch.