If you’ve experienced a cyber event or data breach, or you understand how easy it is for one to occur, then you know the mission-critical importance of cybersecurity risk management plans. However, unlike traditional risk management — for things like employee safety culture or physical security — cyber risk management has only recently started to shift from a technical task to an organizational priority that is driven by leadership and involves all technology users. And, given the complex nature of modern networks and reliance on internet connectivity, cyber risk management is particularly challenging.
But here’s the good news: You probably know more about cybersecurity risk management plans than you realize. While there are no guaranteed solutions to predict all risks or completely eliminate threats, managing cyber risk can become a bit more familiar when viewed through the lens of traditional risk management.
[psa_quote]As the head of PSA’s Cyber Risk Management practice, I teamed up with our Safety Expert, Steve Pomponi, to identify nine common workplace safety culture strategies that can be successfully applied to cyber security management.[/psa_quote]
If these employee safety culture strategies that Steve has identified during his 28 years of experience in the field are effective in managing physical risks, we have reason to believe they will be effective in managing digital risks as well. Accordingly, we use the past performance of employee safety strategies as a guide for identifying equivalent or similarly effective cyber security culture and safety techniques.
In this first post of a two-part series, we’ll discuss four examples you can use to improve your cybersecurity risk management plans.
1. Employee Safety Culture Strategy: Top Management’s Commitment
It is critical for any well-managed employee injury prevention program to have top management’s commitment to developing a vision, strategy, goals, accountability metrics, and performance benchmarks, and providing necessary resources.
Cyber Security Risk Management Plan: Elevate Cyber Security to an Organizational Leadership Responsibility
An effective plan is to appoint a chief information security officer to oversee all aspects of cyber risk management. If this is not possible for your organization, you may also consider working with a consultant or designating another C-suite executive with this role (as long as they are given the appropriate support). This separates cyber risk management from IT functions, and sets the tone for the organization that cyber risk management is a top priority.
2. Employee Safety Culture Strategy: Employee Involvement
Yes, safety starts at the top, but injury prevention must also be integrated into the employees’ daily work routine. This includes creating opportunities for employee feedback, educating them about why they should care, and providing necessary resources.
Cyber Security Risk Management Plan: Build a Cross-Functional Cyber Security Policy Development Team
Similarly, your overall cyber risk management philosophy and policies must be driven by leadership, but it cannot be implemented without direct stakeholder involvement. Create a cyber risk management policy development team that incorporates representatives from every major business unit. This will help align cyber security objectives with business goals and improve buy-in throughout the organization. This team can play an important role in revising policies, educating users, enforcing procedures, and identifying conflicts between policies and the business environment early on in the implementation process.
3. Employee Safety Culture Strategy: Employee Screening
Since data shows that employees using drugs or alcohol are more likely to make mistakes, criminal background checks and drug screenings are common best practices to avoid hiring an unfit candidate.
Cyber Security Risk Management Plan: Integrating Cyber Security into Human Resource Practices
Make sure everyone who has access to your systems containing sensitive information is trustworthy and able to avoid mistakes, which could result in a costly and damaging data breach. This is not only a traditional risk management strategy; it is also specifically identified as an “Information Protection Process & Procedures” best practice in the National Institute of Standards and Technology Cyber Security Framework (NIST CSF).
4. Employee Safety Culture Strategy: Employee Orientation
Depending on the nature of your business, you probably educate your new hires during onboarding about your company’s safety philosophy, preventive measures, expectations, and reporting procedures. Your organization might also be providing task-specific education for each high-hazard activity, such as ladder use, or using a machinery.
Cyber Security Risk Management Plan: Cyber Security Employee Orientation
Ideally, your organization should also have a standalone cyber risk management policy that at a minimum documents acceptable technology use policies, discusses how sensitive data should be handled, and describes cyber security roles and responsibilities of all users. Distributing this policy is not enough. It should also be discussed as part of your onboarding process, which will help everyone understand what is expected of their specific role as well as provide them actionable information about what to do if and when something does go wrong. This communication can also serve as the foundation of future cyber risk management awareness training.
Stay tuned for five more workplace safety culture strategies in the second part of this blog series to help improve your cyber risk management practices.
In the meantime, if you have any questions or need assistance with your cyber risk management, contact jnapp@psafinancial.com. For questions related to employee safety, contact spomponi@psafinancial.com.