The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/900970
7 WWW.ILTANET.ORG BEST PRACTICES Understanding Your Organization's Security Culture Needs To Be at the Top of Your To-Do List ANNETTE BEASHEL Annette Beashel is the Regional Risk Manager and Legal Counsel for Asia for DLA Piper and works out of the firm's Hong Kong office. She has worked in legal compliance and risk management for various international law firms for the past 10 years. Contact her at annette.beashel@dlapiper.com. insecure platforms such as the social network WeChat. » If a domestic organization has an international client base, those clients may bring cultural issues into the business relationship and ask staff to engage in practices that either do not comply with or may not be addressed by the organization's policies. So how do you address these issues? It is not possible for employees to leave their beliefs, habits and opinions at the door when they walk into the office. Rule compliance and enacting disciplinary measures for noncompliance are necessary, but what happens when users find themselves in situations not addressed by policy? Are you confident that your employees will use common sense and apply a broader concept of what is good for the organization? The best defense is to have a strong organizational culture of security. Studies have shown a link between an organization's culture and increased compliant security behavior. A key part of creating this culture is ensuring a strong commitment to security from senior management together with communication on the topic from a senior level. Higher job satisfaction has also been associated with an increased tendency toward compliant security behavior, and it may be useful to advise senior management or human resources that there is a link between the two. Many organizations tick a box by requiring staff to aend an hour of training yearly or as part of their induction. We should ask ourselves whether this has any impact — and if we are addressing the real reason for noncompliance. While deterrence measures are critical, they probably will not succeed if culture is not addressed. Embedding a positive organizational security culture should be a key part of any information security program. It is impossible to account for all the differences in opinions, behavior and experience that inform why people breach information security policies. However, a strong organizational culture of security coupled with appropriate technical controls should ensure a higher level of compliant behavior and a successful information security program. P2P Embedding a positive organizational security culture should be a key part of any information security program. TOP 5 TIPS FOR DEVELOPING A STRONG ORGANIZATIONAL CULTURE Generate a consistent message from senior management on information security. Leading by example is a powerful tool. Constantly reinforce the message by a variety of means such as induction programs, online and face to face training, newsletters, emails, online tests and compliance audits. Just having yearly training will not cut it! Follow through on consequences for breach of policies. For example, most banks prohibit forwarding emails to personal email accounts; if forwarding takes place it is treated as an infraction and in some organizations results in summary dismissal. Recognize that not everyone will come to the issue with the same background, experience or perception of the risk. Be tolerant and prepare for differences in how people will behave with respect to information security. Remember that IT controls are essential in defining acceptable behavior and where the organization draws the line. For instance, if USBs are automatically encrypted this gives the signal that the business takes information security seriously. You must have written policies in place that are accessible and known to the people of the organization. 1 2 3 4 5