It has been said that a chain is only as strong as its weakest link. This is true for many things and it is especially true for cyber security. Often in an organization, the weakest link is not the software on the systems or the hardware that makes it up; the weakest link is the individual.
No matter how state-of-the-art security resources are, an organization can be infiltrated by a single act of negligence. This is why it is imperative that security is not a one-time thing that employees learn about when they are hired, but rather a consistently reinforced culture that defines an organization.
It is an easy thing to make security an afterthought or to downplay its importance. By its very nature security is often not a visible thing until it fails, and by then it is too late. That is one reason why it is difficult to push the importance of security in the workplace.
There are a lot of other important things going on, and people tend to be busy performing other vital tasks. Once again, security is not a singular action; one cannot simply attend training or change their password or install an antivirus program on their machine and call oneself “secure.” In reality, there is no such thing as truly being “secure,” but one can maintain a constant state of vigilance and awareness.
Another pitfall is the tendency to think that cyber security is something that the IT department or the Chief Information Security Officer is solely responsible for. The truth is that each and every employee, every individual, is responsible for cyber security.
If someone has any access to any kind of company data, then they should be aware of what they can do to keep that data secure. On an individual level, one can not only follow proper procedures in communication and information handling, but one can also be aware of current methods of exploitation, such as phishing and other forms of social engineering.
Everyone from the CEO to the most basic entry-level employee needs to be involved in security. If this is not so, then more and more corporations will fall victim to data breaches and cybercrime, and it could spell disaster for everyone.
This is why cyber security awareness and training is vital. If one can be informed about the proper ways to gather, use, store and dispose of data, then it is going to be that much easier to protect that data. However, one more step beyond that must be taken in that once the security and awareness training has taken place, it must be followed.
Each individual must hold himself and his fellows accountable for following proper procedures when handling sensitive or private data. The intention here is not to point fingers or act as the police one with another, but to create a culture of a secure environment where private data remains private and everyone works toward a common good.