The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/900970
6 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | FALL 2017 BEST PRACTICES Understanding Your Organization's Security Culture Needs To Be at the Top of Your To-Do List Understanding Your Organization's Security Culture Needs To Be at the Top of Your To-Do List Individual users are often called the weakest links in an organization's information management and security program. While it is relatively easy to get a written policy in place and apply technical controls, getting employees to comply with internal policies and procedures is a much greater challenge. In 2016, CEB (now Gartner) reported that 90 percent of employees violate security policies. by Annee Beashel The Importance of Culture Why are there such high levels of noncompliance? Some users bypass security measures or use workarounds to speed up their work processes or because it is easier; others act for malicious purposes, such as to steal information or intellectual property. In my experience, though, most people do not breach their organization's policies intentionally. Their decisions and actions tend to be influenced by culture. "Culture" can mean a lot of different things in this context: » It may refer to the organization's culture. Organizations where there is lile communication or training create the perception that information security is not important. » Office size and location can influence culture. People who are part of a large organization but located away from the head office in another state or country are likely to have different perceptions of risk than those in the head office. In smaller offices, an informal environment where everyone knows each other can lead to a perception that it is acceptable to relax security standards by sharing passwords, leaving screens unlocked on unaended computers, etc. The mentality that "stuff like that does not happen here" can also arise. » International organizations may face cultural issues such as differences in language, hierarchy or communication styles; fear of losing face; nepotism and local regulations. All of these will influence user compliance with the organization's information security policies. In a 2013 conference paper on security and culture, Alkahtani, Dawson and Lock point out that in very hierarchical cultures there is no tolerance for employees questioning the authority of their managers; in such an environment employees may disregard the organization's policies in favor of following their manager's orders. » The jurisdiction where the organization or branch office is located may have a different perception of confidentiality. In China, for instance, there is no recognition of legal professional privilege, and it is common for clients and business associates to discuss highly confidential information using