In May 2020, the personal records of more than 24 million South Africans and nearly 794,000 companies were handed over to someone impersonating a client. It’s a hard lesson in how important it is to embed security, not just into the technology and the devices of a company, but into its people. Anna Collard, SVP of Content Strategy and Evangelist, KnowBe4 Africa, says security is not just the responsibility of IT, it is the responsibility of every person in an organisation.
Collard said: “It is critical that organisations create a culture of security in order to combat this increasingly hostile security environment. A successful security culture is driven by leadership, the human resources (HR) department, internal marketing and communication and ongoing security training. Truly agile and capable security is a people project, not a technology one.”
Successful security balances on three pillars: technology, policy and people. The technology is the firewalls, the anti-virus, the ongoing alerts and the endlessly evolving bouquets of solutions that are designed to give the business an edge in the war against cybercrime. Policy is what outlines the processes that people across all levels of the organisation have to follow in order to ensure that the technology can do its job, that checks and balances are in place as well as to guide people on what they can and cannot do in the digital realm . People are the key to ensuring that both technology and policy actually work.
“This is why HR has to be involved with security,” says Collard. “It is fundamental to changing behaviour within the organisation and helping to build a culture that recognises the importance and value of security. It is, of course, also the disciplinary arm that enforces policy and that ensures there are consequences when people continue to break the rules or fall for phishing scams or perpetually do the wrong things.”
Whether the organisation incentivises or punishes – security has to have consequences. Employees must see that the executive is as tightly bound by the regulations as everyone else. And they need to understand exactly what these regulations are, why they are important and the implications that failure can have on their jobs and the future of the organisation. With data protection regulations such as South Africa’s Protection of Personal Information Act (POPIA) in full effect, the cost of an avoidable mistake can result in hefty fines or even imprisonment for the directors of the company. A mistake that can be as simple as someone clicking on a phishing email, falling for a social engineering call or unleashing a ransomware virus because they didn’t recognise the risk.
“The way we communicate, the content we use and the way that it’s distributed can make such a difference in how an organisation creates a strong security culture,” adds Collard. “It’s a blend of HR people practice, security good practice and marketing best practice. These three elements need to be pulled together to create a cohesive security ecosystem that ensures people truly understand that their actions can have serious consequences.”
This level of engagement can be achieved in multiple ways. Empower a person who interacts with the different stakeholders across the business and who has the right support from the executive and HR.