Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Who do you share your security culture with?

We all know that we live in a world where we do share sensitive data with business partners, and we expect them to protect our data, which is not always the case. A while ago I decided to buy a used USB disc at a flee market to conduct an experiment to see how much data people leave on their old discs when selling them.

At home I connected the disc to a secure computer to ensure that it wouldn’t damage any of my data or spread viruses, the disc itself looked as it was restored to its original state with only the tools for the USB device itself on the disc. So at least an attempt to protect the data was taken, but to investigate a bit more I started a tool to try to undelete files from the filesystem.

The tools, TestDisk, did find a lot of deleted files which was not yet overwritten by new data, after restoring all files I quickly realized that this disc included some sensitive data that should have been protected much stronger.

The tool TestDIsk is quite easy to use, a video showing the above process is found at

I did not go through all data recovered by found at least one database dump for a health-related company that included SSNs, names, passwords, contact information and work-related information. All which would have made a social engineering attack extremely easy to conduct.

The information also let me to strongly believe that the person that had this information did not directly work at each of the company which data was stored on the disc but rather as some type of partner supporting with IT related tasks. A person that probably should know how easy it is to undelete files.

This leads to the question, who do you share your security culture with? In your contracts with partners you probably already do state the need for securing any information that you share with your partners, if not please review your contracts directly. The question is often more on how this is implemented in real life and which possibilities your company has in regards of controls.

If you look at your partners you will find that they will be able to be divided into tiers depending on their size, this could be used to help them to protect your data. With the smallest companies it is often easiest to ensure that they are included in your security programs including your security culture program. With the medium sized it may be that they run their own security programs and you may only be able to include them in your annually security culture measurements, and then feed the results back to your partner for improvements if needed.

For the largest companies you can expect them to run good information security programs and have them take control of the process with input of your demands, even thou you should ensure that they do work with security culture and ask them to share information about their security culture programs and measurements, this to ensure that they are on an acceptable level and also show that information security is essential part of the contract.

When you start designing your information security culture program, have in mind which partners you would like to share the program with.