Your first line of defense in cyber security
People are an important part of securing your organization
As cyber security threats continue to increase, so do attacks linked to “human error.” There is a reason “People” come first in the People, Process, and Technology foundation of a sound security strategy. When your workforce understands cyber security and the role they play in it, they become your first line of defense in protecting the organization and reducing risk.
Security-first culture starts at the top
Culture is not a poster on a wall. It shows up in how teams engage and the behaviors that are rewarded.
Security culture starts at the top of an organization, with your leadership. It shows up in three ways: prioritization, communication, and leading by example.
A culture that fosters a proactive defense strategy empowers employees to spot and report risk. We use a simple, yet effective, reporting mechanism to report anything suspicious for our security incident response team (SIRT) to investigate.. We encourage and champion people who submit the most security incident reports on a monthly basis. We share out incidents to build a community that shares a mission to protect and secure. Our most senior leadership leads by example by reporting anything suspicious as well.
Transparency in how we communicate and prioritize security is clearly articulated by the leadership at Cloudflare. Accidentally click on that phishing link, or leave your laptop unsecured? Our teams are encouraged to self-report, knowing they won’t be penalized for a mistake. This fosters a culture where we do the right thing to mitigate mistakes.
Building a culture of awareness
Even at a security company like Cloudflare, not everyone is a cyber security expert. Even those with the strongest cyber background will struggle to keep up with the evolving attack vectors.
Sharing stories about how our work stops cyber security attacks keeps our teams aware and vigilant. Sharing these insights not only celebrates our victories but also helps us learn from each incident, turning daily battles into lessons that fortify our defenses. This practice fosters a culture of continuous learning and preparedness, ensuring that every team member, from the newcomer to the seasoned expert, understands the dynamic nature of threats.
We recently had an incident where our employees were targeted via personal social media accounts. They understood the risk and knew the importance of reporting to our SIRT team. The rapid response from our workforce allowed us to share the incident with the team to drive further awareness, investigate, and shut down the attacker by partnering with the social media provider.
Understanding everyone has a role
Having a strong culture of security and heightened awareness is a great start. But it's equally crucial that every member of your organization understands their specific role in maintaining a strong security posture.
Begin by establishing clear, comprehensible cyber security policies. Ensure these guidelines are not just theoretical; they need to explain the "how" and "why," making them actionable. Keep these policies accessible and refresh them yearly to reflect new threats and changes in technology, reinforcing everyone's duty to comply.
Empower your organization with the knowledge of immediate actions: How to report a policy breach, recognize phishing and social engineering attempts, deal with physical security breaches like tailgating in the office, or spot misconfigured systems.
While annual training on cyber security and privacy awareness sets a solid foundation, go beyond this by integrating role-specific security training. This approach embeds security measures into every facet of your organizational processes, ensuring security isn't just a policy, but a practice woven into the daily fabric of your operations.
Reducing the risk of human error
A major burden weighing heavily on security teams across organizations is complexity.
The more complex your systems are, the more likely it is that an error will occur. Misconfigurations are a significant risk that attackers can exploit. Trust but verify is an old-school security cliche that stands the test of time. It is imperative that your teams validate the efficacy of configurations and implementation of controls to ensure human error does not create a vulnerability.
By adopting strategies that reduce click-ops and prioritizes infrastructure as code (IaC) you can not only reduce the risk of human error, but also scale so your team can focus on the most important work. We’ve leveraged this strategy at Cloudflare and shared how we use Terraform to manage Cloudflare and continuously improve how you can maintain your systems, while also reducing complexity and the risk of human error.
Security culture is part of your defense
Strengthening cyber security awareness is not just a precaution — it's imperative. By fostering a culture where every team member is aware and actively engaged in cyber security practices, we build not just barriers, but firewalls against digital threats.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
To help build a strong security culture apprised of the latest threats, get the State of Application Security report.
Authors
Ranee Bray — @raneebray
Senior Cyber Security Strategy & Execution Director, Cloudflare
Jordan Lilly — @jordan-lilly
CSO Security Engagement, Office of CSO, Cloudflare
Key takeaways
After reading this article you will be able to understand:
The role of leadership in shifting mindset and behavior
How to build security awareness within your organization
The benefits of reducing complexity in your security program