Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

WannaCry ransomware

In the aftermath of the big outbreak of WannaCry with the effect that hospitals in UK had to close, large companies had to put huge effort in restoration of their services and to date unknown damages from companies to yet reporting about their issues, we need to look into why it was possible to perform such attack, such easy.

The public information available says that the WannaCry ransomware was spread via e-mail attachments and then using a known vulnerability in Windows to spread it self further in the world.

Knowing this are we not only able to update our security policies and awareness training’s to say that users shall not click on unknown attachments and that the IT department has to ensure that all servers has the latest patches applied, and then the problem shall be solved? And maybe also add to the policy that security hardening of IT equipment must be made, which would include disabling the old SMB protocol that WannaCry used to exploit systems, an outdated protocol which is no longer used.

Or wait a second, isn´t that already in our policy documents and awareness training’s? Yes, it is for most companies as we have had these issues for many, many years, but still we are struggling to follow set polices and have our employees to understand the importance of the awareness training’s.

But at least with the outbreak of WannaCry IT departments are on top of this issue, or wait a second, with the outbrake of Petya it was clear that the exploit still existed worldwide in many, many IT systems even with the big media attention surrounded WannaCry all IT departments did not ensure to patch or at least disable the old SMB protocol.

It is time to understand that we do need more than just policy documents and awareness training’s, the need for working with our security culture is growing for each day as more and more threats arise and cyber criminals are able to monetize on these malicious actions.

Utilizing the security culture framework to ensure that our security policies, routines and instructions is not only communicated to employees but also understood and that the organization has a solid understanding of why information security is so important and part of the day-to-day operations. Using the tools given in the free framework you are able to not only educated, but also monitor the result and adapt the message to different target groups within your organization. Feel free to contact me for more information on how to get your company Security Culture program running.