Strong culture of security prevents sensitive data to cause significant potential threats to businesses.
When two executives of the Pathé film company received an e-mail request from their CEO to wire funds for a purported business acquisition, they thought nothing was amiss. They dutifully transferred the sum of $21 million – to a gang of cybercriminals posing as the company boss.
Both managers were fired, every cent lost.
According to HIMA, scams such as this are becoming a common form of crime known as ‘CEO fraud’. An FBI public service announcement issued in mid-2018 said that 78,617 cases of e-mail fraud were reported globally within the space of five years, with losses amounting to approximately $12.5 million.
Yet, cybercrime is a pertinent issue outside of CEO fraud. ‘Social engineering’, a favorite among hackers, sees cybercriminals collecting personal data from social media and using it for targeted manipulation. For the most part, they find their way into a company’s IT through its employees.
HIMA finds this hardly surprising given the findings of international studies on information security in the workplace, which showed that only around half of employees actively engage with cybersecurity. Many rely on their employers to handle security and take barely any precautions themselves. They are often completely unaware of the sensitivity of the data they are dealing with on a daily basis – such as passwords, contracts, and banking and customer details.
Information security must become part of corporate culture
For employees to become more conscious of risks, the concept of security has to be integrated into their daily working environment. HIMA believes that even the smallest of measures can prove effective.
IT security experts, Stormshield, for example, opt for ‘punishment by pastry’: when an employee leaves the office without locking their PC, they receive an automated email inviting them to treat the team to croissants.
However, for the majority of enterprises, the main focus is on IT solutions rather than employees. Information security relies on a fine balance among people, processes, and technology and is the responsibility of the entire organization. But few companies take such a holistic approach to security.
According to the Cybersecurity Culture Report 2018 from ISACA and the CMMI Institute, 95% of the approximately 4,800 enterprises surveyed worldwide stated that they had not yet satisfactorily ingrained information security within their corporate culture. 90% of the respondents agreed that a strong culture of security would enhance the profitability of their business. Yet, many lack an established approach.
“People count on IT solutions. But social engineering bypasses them. We have to take people and processes into consideration too,” said Kevin Mitnick, social engineering expert, CEO of a security firm, and former hacker.
The Information Security Management System (ISMS) as a conceptual framework
Foreseeing every security risk and attack scenario is impossible. For this reason, HIMA emphasizes the importance for companies to make business processes clear and watertight. This calls for each and every process to be documented, risks identified, and concrete security measures developed. It also requires clearly defined responsibilities and access rights.
Documentation alone does not prove that processes are secure. Enterprises must disclose their documented processes and approve them for certification by external auditors. Only then can they achieve ISMS certification.
To this end, there are established standards in place – like ISO 27001. This sets out a specification for information security management systems. It considers security as part of corporate culture and views the organization as a whole. Every level of the hierarchy and each department can be involved in security measures, with guidelines and training firmly rooted in day-to-day work.
Only by fostering a security-conscious corporate culture can an enterprise transform its greatest weak spot into a digital force field. Employees are then able to recognize and successfully repel threats such as CEO fraud.