The culture of an organization is very important. I didn’t realize this until I began working at Wipfli. Our culture is our beliefs and behaviors related to how we treat our employees, business partners and clients. An effective organizational culture is not something you just say you do; the organization must live it. And it should start at the top. The leaders define the culture by the way they conduct themselves.
Financial institutions must include cybersecurity in their organizational culture. Cyber risk is not just “an IT problem”; it is a business risk problem. Almost everyone in the organization accesses information systems, uses email, or in some way works with sensitive customer information.
When I think of “positive security culture,” a situation that happened to a friend of mine at his organization comes to mind. An employee accessed a personal email account from the company’s computer and clicked on a malicious file attachment, not knowing that it downloaded ransomware, and it soon encrypted many of the digital files on the financial institution’s network. Soon, a message popped up on the employee’s screen with instructions for paying the ransom. The employee was obviously embarrassed and rebooted the computer hoping the problem would go away. But it did not. More and more files were being encrypted, making the company’s data unusable.
Meanwhile, the IT department was getting bombarded with phone calls from employees who could not access the encrypted data. IT knew it was ransomware but did not know what system had been infected. Until then, IT couldn’t fully recover the data. But the employee who was the victim had not come forward. After many hours, the president sent out an email to all employees (thankfully, the email system had not been affected), desperately asking for information and hoping to find out which computer was infected. Finally, the employee came forward.
This incident made me realize that we need to create a positive security culture as part of our cybersecurity awareness training. We’ve got to make it okay for an employee to say, “I think I just clicked on something bad.” The damage and downtime could have been minimized if the IT department had been notified immediately.
Too often we set the wrong tone. We can do endless training sessions on cybersecurity, but people make mistakes. If your organization takes the approach of chastising or demeaning your employees after social engineering testing, you may be setting yourself up for failure. If certain employees repeatedly fail your testing, then it becomes a human resources department concern. But if we can make it easier for employees to come forward, we can minimize the damage from a real cyber threat.
Need help with cybersecurity testing and training? Feel free to contact Wipfli. We have many services to help you prevent, detect, respond to, and recover from cybersecurity threats.