Written by Stephen Burke, CEO and founder of Cyber Risk Aware.
Introducing a cyber security aware culture, supported by real time accountability, is the only solution to shielding businesses from cyber attacks.
Everyday brings a new security threat or a new report of a massively destructive cyber attack and 2019 was one of the worst years on record for attacks and breaches. Over the course of 2019 there was a massive 54% increase in data breaches – many with dire consequences. What you read in the press is the tip of the iceberg when it comes to the fates of global players such as Verizon,Capital One, British Airways and many others, with the implications of many attacks still yet to be seen. Predictably IT companies continue to innovate to provide the best in class infrastructure solutions: And yet the attackers continue to prevail and profit while businesses are crippled or heavily fined or both.
Using technology to counter the problem, while necessary, is only one part of the whole solution. Passing the responsibility to the IT function for your companies defences to these criminals is misguided at best. Enterprises are now discovering the technology piece only goes so far. It is just one piece of the armory.
The fact is that 90% of all breaches are caused by human error – a massive statistic when you consider that even the most technically robust of networks can be undone by one simple absent-minded click on a phishing email. Unfortunately the best technical solutions in the world cannot secure your IT infrastructure alone. Your IT department will be the first to agree that their day-to-day challenge is dealing with users who undo all their good work! Just as it takes an army to be trained to use the weapons they are given so it is that your people should be trained to defend your company’s systems. The only way to effectively ensure that your defences are not breached is to train your footsoldiers how to use their technical arsenal.
The type of vulnerabilities that are being exploited by criminals are varied and difficult to address internally without expertise: A natural step to address these vulnerabilities is cyber security awareness training. Many organisations that do implement cyber security training programs often just train the technical staff – missing the real source of the problem – the employee at the frontline. The fact is that every computer, every communications device, is an open door to a criminal and at the moment untrained employees are not only opening the door – they are propping it open and inviting them in.
For other companies, training their staff comes after they have been attacked and the source of the breach is revealed. The organisations that really do understand that these attacks are never going to go away and plan long term protective measures are the ones that build a real cyber awareness culture recognising that cyber security is a real business issue.
The practice of doing this is actually relatively simple and resource and cost effective. There is a lot to be gained from a staged approach:
Stage 1: Assigning responsibility and authority. The most important thing to consider is that cyber security shouldn’t be put in the hands of a single department. It should be seen as a company wide initiative and given the recognition of importance that it deserves. Select a department, individual or team that has connections across the organisation and give them the authority to implement team training and awareness and incentivise people to buy into the initiative.
Stage 2. Assess buy-in. Keep tabs on the progress and ensure that everyone in the organisation has a cyber security mindset. For example, check that your finance people have checked your cyber security cover in your insurance policy. Your company might even save on the premiums by demonstrating your preventative measures. Equally your HR department should update your social media and use of email guidelines and they should build the training into the development plans of your employees.
Stage 3. Attack your own defences: Start running real time cyber attack simulations across your network. This will show your greatest areas of weakness and give your IT people solid signposts on technical vulnerabilities and also give you priorities for staff training.
Stage 4. Train: Implement training and ensure that it is done across the organisation both horizontally and vertically. If you are a global organisation look for training that comes in native languages – avoid machine translations. Your C-suite should be trained in the same way the most junior person is trained. Cyber criminals don’t care who they target so everyone who is on your network is a potential target.
Stage 5. Communicate, reward, motivate. Make sure that you talk about what you are doing. Share success and tell employees about how you are keeping them and the company safe. What they learn at work they can benefit from at home. Reward people who are cyber heroes. This will in turn motivate others and keeping cyber security on the agenda will make sure that as employees come and go your culture will remain.
Stage 6: Review and measure. It is good to have clear KPIs when you start. Make sure you keep reports on where your weakest points are in your organisation – it may be a department where you get a lot of temporary workers – and put together measures to eradicate those weaknesses.
These steps give you the foundations to building a great cyber security culture within your organisation. The key is to run them on loop. Keeping your people up to date and trained makes them your most valuable custodians of your company’s network. Technical solutions can be massively costly and that can often swallow a lot of the budget (and attention) when it comes to cyber security. However, implementing a program like this can be surprisingly cost effective and ultimately invaluable. The human touch works both ways: it can bring you down or it can be the best defence. It’s your decision.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/