Craig Moss, Executive Vice President, Ethisphere

As the second most populous country in the world, India continues to grapple with the impact of COVID-19 on everyday life. In this interview, Ethisphere’s Scott Stevenson spoke to the company’s Executive Vice President, Craig Moss about the nuts and bolts of data security assessments and maintaining an ethical culture as businesses across the region adapt to remote work environments.

When the lockdown was extended as a result of the pandemic, companies in India were forced to immediately transition their operations to a virtual and remote work setting. While moving operations posed some risks—culture, cybersecurity and data protection remained top of mind for many leaders.

According to a recent report by EY, in light of the disruption caused by the pandemic, only 32% of business leaders in India have reported that they have an incident response plan in place should a data breach occur, while 68% of respondents believe that data protection and privacy legislation can present some additional hurdles.

Ethisphere has developed a new assessment that focuses on data protection and cybersecurity for employees in a hybrid remote/office work environment. The assessment features two parts:

  • Program assessment completed by the manager – this measures data protection/cybersecurity program maturity based on their perspective
  • Culture survey completed by the employees – this provides anonymous feedback on how well the program is actually being implemented

Ethisphere Senior Analyst Scott Stevenson spoke to Craig Moss, who led the service development, about the challenges companies face and what companies can do to reduce their risk and build a data protection culture.

Scott Stevenson: First, can you explain just a bit about the thinking behind developing this new data protection and cybersecurity assessment?

Craig Moss: We want to help companies build a culture spanning home and office where employees take practical steps to protect valuable company data. In response to COVID-19, there was a rapid shift to remote work. Now, we are seeing another shift to a hybrid work environment, in which some employees will be working from home, some from the office, and some from both home and office. Based on talking with dozens of companies around the world, including India, we think this will be the new reality for the foreseeable future.

SS: Can you help clarify how information security, cybersecurity and data protection are related?

CM: Information security is the broadest term. It focuses on physical and electronic information and making sure its confidentiality, integrity and availability are maintained. Cybersecurity focuses on protecting electronic data on computers, mobile devices, servers, etc. from being compromised or attacked. Data protection is the process of making sure that digital confidential business and personal information is safe from loss, compromise or corruption. Obviously, there’s a lot of overlap. One way to look at it is that data protection is one of the primary goals of cybersecurity. In this discussion we’re focused on electronic information so we’re talking about cybersecurity and data protection. A lot of data protection focus lately is on the regulatory issues related to the protection of Personally Identifiable Information (PII) – Europe’s Global Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and soon—India’s Personal Data Protection bill.

However, it’s important for companies to also think about how they protect confidential business information and trade secrets. One important thing to keep in mind is that an effective cybersecurity program requires the orchestration of people, process and technology to create a culture where employees protect data.

SS: What do you see companies doing in response to the COVID-19 pandemic?

CM: In the initial reaction to the pandemic, companies had to scramble to get people set-up to work from home. The primary focus was on business continuity – and rightfully so. It was a crisis that needed urgent action. But in order to best maintain business continuity, many companies and people did things that really increased the risk of data loss. For example, storing confidential company information on their personal cloud storage or transferring confidential information from the office to their homes on USBs or portable hard drives. Completely understandable, but now companies need to establish a baseline for their data protection/cybersecurity program given the new reality and then make the necessary adjustments to re-balance business continuity and data protection.

SS: How does the Ethisphere assessment help a company?

CM: It helps in a critical way. Managers get visibility into how well their data protection/cybersecurity policies are actually being implemented.

I see situations all the time where the program managers have pushed out well-intentioned policies that don’t get followed. The managers feel they did their job by developing robust policies and communicating them to the employees, but in reality, they have created a “work-around” culture. This happens when employees feel the policies are too restrictive or make it hard for them to do their job efficiently. There are good intentions on both sides, but the results are bad. Ms. Ritu Jain, Chief Compliance Officer, Asia, GE, wrote about this topic and offers some practical insights on page 42 of this publication.

The remote/office hybrid makes it harder to maintain a culture of data protection, but it makes it even more important.

SS: Tell us about the employee experience in taking the culture survey and what they get out of it?

CM: The employees answer about 20 simple multiple-choice questions. It will take them about 10 minutes. The questions are grouped into a few pillars around their awareness and perception of the data protection/cybersecurity program, and then some specifics on their actual practices concerning devices, connections and data access.

In taking the survey, employees need to stop for a minute and think about how they protect data in their day-to-day job. It’s a learning experience for them and it helps to build awareness of the importance of data protection.

SS: Tell us about how the data generated from the assessment is useful?

CM: As I often say, you can’t improve what you don’t measure. The beauty of what we developed is that it provides two views into the culture. It measures what the program managers think is happening and then matches it with measuring the perceptions and behaviors of the employees. With this data, managers can adjust their program as needed and prioritize on what employee behaviors are most important to change. I’ve done a lot of change management projects with companies around the world, including India. Effective change in behavior and culture requires a clear path and short steps. Our assessment is designed to provide the data that allows a company to prioritize what to work on and to set quantifiable goals.

SS: How does the service work?

CM: The managers get an enrollment key to take a short program assessment in the secure Ethisphere Assessment Platform and get a maturity score on a 1-5 scale based on their responses. The company sends their employees a link to anonymously take the matching culture survey. Ethisphere compiles and correlates the two data sets. The company receives a report with the results, featuring our analysis and priority action recommendations.

SS: How granular can your analysis go?

CM: Assuming the company has chosen to survey a large enough percentage of their workforce for us to have significant sample sizes, we can go quite deep. One of the most valuable things that we can do for companies is to segment the culture data in two ways: by location, and by business unit.

Location segmentation is valuable because it gives insight into how implementation and employee perception is impacted by regional or cultural variations, training methods or IT infrastructure.

Business unit segmentation is also really valuable because different business units access different levels of confidential information and need to share it with different internal departments and third parties.

This level of data segmentation allows a company to benchmark locations and business units and then share the “good” practices throughout the entire organization.

SS: How can companies use the results to improve their program and drive sustainable change? 

CM: As I mentioned, our report includes a priority action roadmap. We analyze the program assessment and corresponding culture survey to identify gaps and areas for improvement. We also look at what is working well to see how that could be applied to the weaker areas. Perhaps most importantly, we prioritize what we think a company should focus on improving over the next 6-12 months. Ethisphere BELA members have access to a lot of great resources that can accelerate their improvement – things like policy templates, training materials, and guides to implementing Champion programs. The resources come from BELA member companies, from Ethisphere and from partnerships we have, like with the Cyber Readiness Institute.

SS: What advice do you have for companies on building a culture of data protection/cybersecurity in a hybrid work environment?

CM: The goal is to embed data protection into the culture – into the basic day-to-day behavior of the employees. Working from home. Working from the office. Probably, working from hotels and airports again in the future. It doesn’t matter.

Successfully creating a culture of data protection/cybersecurity is similar to creating any compliance culture. The policies need to be practical. You need to gain employees’ commitment. And then you need to make sure they know what you want them to do and how to do it. Here’s an example about the use of Virtual Private Networks (VPNs), which improve security for remote employees. During the pandemic many companies rushed to put them in place if they didn’t have them. But when you talk to the employees you hear things like – “it keeps disconnecting,” or “I can’t always tell if it’s working,” or “it makes my home internet connection unusably slow.” If your employee is working from home on a time-sensitive project involving confidential information and has these problems, what do you think they’ll do? They do the “work-around.” Good intent, but bad for security.

To build the culture start by focusing on the core policies that will have the greatest impact on reducing risk. In my work at the Cyber Readiness Institute, we suggest companies start with authentication, software updates, phishing and the use of USBs and removable media. Create simple, practical policies on these four issues and educate your employees about why they’re important and what to do. A key success factor is making sure you provide your employees with a secure way to work and do their job. If you have people changing locations from home to office, you can’t just say no USBs if you’re not providing secure cloud-based file sharing. Be realistic and have empathy for people trying to do their job in a radically different and challenging situation. Empathy goes a long way in helping to shape culture. To get started you need to measure where you are now because you can’t improve what you don’t measure.

About the Expert:

Craig Moss has worked with companies of all sizes around the world on how to improve compliance and risk management performance. At Ethisphere, Craig is responsible for developing and delivering the “Measure and Improve” program designed to help companies and their supply chain mature their programs for cybersecurity, data protection and anti-corruption. Craig has worked extensively with companies in India, China and Asia over the past 25+ years.