Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible


Cybersecurity and the hacking of Hollywood

Cybersecurity appears near the top of any compliance officer’s risk assessment. Addressing the ever-evolving concerns around it is a priority on the strategic annual plan for any compliance program. Modern society’s reliance on technology and the internet is always increasing. Along with the many benefits of technology’s interconnectedness and conveniences comes risks to data privacy, information theft, unauthorized intrusions, and security breaches.

While all businesses are vulnerable to these threats, recently the spotlight has been on Hollywood and some high-profile hacking campaigns that have seriously impacted the entertainment industry. Damaging emails have been published, produced shows and scripts have been ransomed, and private photos have been leaked due to storage and server facilities being breached.

  • In November 2014, Sony Pictures was hacked by a group calling itself Guardians of Peace. The cyberattack used malware to steal and then overwrite and delete the data on half of Sony’s computer network worldwide. Not only did Sony have to deal with a major technology infrastructure crisis, but shortly after, the leaks began. The stolen data from the company that was subsequently published ranged from embarrassing personal emails of executives and celebrities to unreleased movies to sensitive employee information. The hack was eventually blamed on North Korea and their effort to suppress the film The Interview, a claim which is still disputed by some today. The fallout from the cyberattack and the insufficiency of the company’s preparations against it offer many difficult lessons in cybersecurity and corporate defences within it: Inside the Hack 
  • Netflix was compromised by a hacker going by the name thedarkoverlord, who posted ten episodes of the network’s hit show Orange is the New Black to a torrent site on the internet. The leak occurred after a ransom request was not met, first by a production vendor affiliated with Netflix and then by Netflix itself, demonstrating that cybersecurity at third-party vendors can also be a business risk: A Group Of Hackers Is Holding Hollywood Captive — & Here’s What It Wants
  • In another ransom case, Disney suffered a hack involving the latest movie in the Pirates of the Caribbean franchise, compromised while on the servers of a post-production facility. Work is often sent out to vendors in the industry who will do it for the lowest cost, but may not promise the most robust network security to prevent intruders from accessing the content and ransoming it to the owners. This phenomenon is becoming increasingly common and expensive: Cyberattacks once again roil Hollywood, but can anything be done about it?
  • HBO sustained a major cyberattack, possibly from various sources, on their servers which demonstrate how vulnerable major organizations can be to leaks, hacks, and social media hijackings. This event shows that HBO, and other organizations like it, face cybersecurity threats from a variety of sources: suppliers, insiders, intruders, and more. Ransom demands were involved here too, but other threats seemed designed just to test security protocols or to intimidate and embarrass: Breaking Down HBO’s Brutal Month of Hacks
  • Other than content owners such as networks and studios, Hollywood talent agencies, such as UTA, ICM, and WME, have all also been the target of cyberattacks. In the case of UTA, the intrusion occurred through the phone system and spread from there to the computer network, with a ransom demand following. Many of these hackers openly acknowledge they are motivated just by financial gains from ransom payments, so some companies are being advised to pay up and avoid damaging or embarrassing information and valuable content being leaked online: FBI Gives Hollywood Hacking Victims Surprising Advice: “Pay the Ransom”

The increasing frequency and visibility with which the technological systems of Hollywood companies are being targeted for cyberattacks indicates that this will remain a top risk for some time to come. The threats to the reputations of individuals and organizations involved, as well the economic and reputational risks, require that lessons learned from the situations above be implemented into practical and technological improvements to cybersecurity programs.