Every day, cybersecurity becomes more important than the day before. As organizations increasingly rely on digital software to house data and run systems, cyber-attacks in turn become progressively threatening. This widespread digitalization gives cyber attackers more surface area to work, and resulting attacks could yield devastating consequences.
Despite this trend, cybersecurity continues to lag as a priority in many organizations, leaving them vulnerable to such attacks. As entire workforces shift to remote work, here are a few insights from cybersecurity experts at Georgia Tech, including current trends and practices that professionals can use to support the development of a culture of cybersecurity within their organization.
COVID-19 has compounded the complexity of cybersecurity. Shelby Allen, research engineer and instructor for Georgia Tech Professional Education's (GTPE) Cybersecurity Certificate, notes three major vulnerabilities that organizations face more because of the pandemic: phishing attacks, more unique and/or unpredictable cyber-attacks, and general exhaustion among employees and IT staff. “The technology will keep running,” Allen explains, “but we need to keep it updated and deployed, and we need to keep everyone educated and vigilant.” Additionally, the nature of remote work simply provides more leverage for a cyber-attack. More operations and data are online, and, because employees work from their own laptops and homes, IT security measures are less consistent.
Every cybersecurity program requires three components: people, process, and technology. Anant “Jimmy” Lummis, chief information security officer at Georgia Tech, emphasizes that while technology gets the most attention, people may be the most important. “People” does not only refer to cybersecurity professionals, it also means the holistic network of employees that create the culture of the company. “Cybersecurity professionals can do a lot to help secure an organization, but they will always be outpaced by the many people in an organization that do things every day,” Lummis explains. “If the culture in the organization doesn’t understand their responsibility with respect to cybersecurity, bad things will continue to happen.” Only through this professional culture can cybersecurity become a top priority and reliable defense for any organization.
Over the 15 years that Lummis has spent in the cybersecurity field, he has seen a promising shift toward prioritizing cybersecurity. In a recent Gartner survey of CIOs across the country, 61% of respondents reported that they were increasing digital business spending directly related to cyber threats. However, cybersecurity measures cannot fully protect an organization without the support and cooperation of the entire organization. The main challenge in cybersecurity today is imparting the responsibility of cybersecurity to all levels of an organization, not just the top.
Raheem Beyah, Ph.D., vice president of research for Georgia Tech and executive director of the Online Master's of Science in Cybersecurity program, has outlined a few simple steps to build a successful incident response team and increase the culture of cybersecurity in your organization. First, be thoughtful in how you build your team. While having the right technical expertise is important, it is ideal to complement the skills of your team members with the abilities of the leader. Then, ensure your team is a comprehensive and inclusive representation of the organization they protect. Finally, teach yourself and others to embrace change. When technology changes, business processes will have to change, which means that management will also have to change to bring your team through the change successfully.
The leaders of an organization must openly promote and prioritize cybersecurity training to foster a more reliable framework of cybersecurity. “You have to have support from the C-suite team that this is a high priority,” Beyah emphasizes. “It starts by the CEO appreciating the importance of security training and other things that may not seem immediately important to the bottom line but are critical for the integrity of the organization.”
Once the executive leadership prioritizes security, they must encourage and expect individual responsibility and accountability on all levels. “You have to tell people what you expect them to do,” Lummis says. “People’s performance should be evaluated based in part on cybersecurity, given that they have the tools for success.” Expecting cyber-secure responsibility from employees on all levels will not only strengthen your organization's cybersecurity but will also communicate the individual value of every member of your organization.
"Those expectations for success along with effective training is the most important component in ensuring a persistent culture," points out Renita Folds, manager of information and cyber sciences program office and research associate at Georgia Tech Research Institute (GTRI). Because the cyber attacker is becoming more sophisticated and prevalent, it is even more important for companies to identify and address security risks before an attack occurs, especially because most data breaches are caused by human error. “On a large scale, people are easier to compromise and exploit than finding that software vulnerability,” Folds explains. Therefore, the most pressing need in cybersecurity training is increasing employees’ awareness of and ability to identify cyber-threats and attacks—establishing a “human firewall.”
A common thread throughout cybersecurity is people. People are the greatest barrier to establishing an effective cybersecurity culture and the most vulnerable aspect of it, and yet people are the most important key to creating and strengthening it. Ultimately, cybersecurity depends on every individual in an organization, no matter what position they hold.
“It’s not just the responsibility of the IT team or your cyber team, it’s the responsibility of everyone in the organization to maintain that cyber-secure environment,” Folds says. “The bottom line is that humans are still the weakest link in cybersecurity, so we have to have consistent cybersecurity training on how to recognize threats and what to do about them. As attackers step up their game, we have to do the same thing on the training side.”