Mike Carter tells us why engaging every employee in a proactive and collaborative approach to cybersecurity is essential.
A recent article from the BBC reports that two-thirds of large businesses have been victims of cybercrime in the past year. That’s according to government research in the Cyber Security Breaches Survey. On one level, this is not news to us in the security industry, but the scale of the attacks, the cost to businesses and the warnings from the Digital Economy Minister, Ed Vaizey, make for stark reading. He said, “Too many firms are losing money, data and consumer confidence with the vast number of cyber attacks. It’s absolutely crucial businesses are secure and can protect data.” The report indicated that 7 out of 10 attacks could have been prevented. Engaging the people across your organisation is critical to mitigating the risks to its security. It can be done, but tackling culture means everyone rolling up their sleeves and playing an active role. It challenges the way things have been done to date.
Don’t Fall for the Tech Promise
There was a time, not so long ago, when technical attacks by hackers required security chiefs to find technical solutions. But as social engineers target people in ever-increasing numbers, security chiefs must find people solutions. Generally, businesses to date have been slow to respond, but they are catching on, with the realisation that a radically different approach is essential.
Technical solutions – and we still need them – mean buying a product off the peg that does x. It’s a simple transaction. The product ‘comes in a box’ and provides the solution. And yes, although it has to be optimised and used in the right way to be effective, buying that product solved a problem – for a while at least, and the security chief could have some peace of mind. The solution meant everybody in the organisation could rest easy in the knowledge (or illusion) that everything was taken care of by those whose job it was to take care of it.
Get People Involved in Security
Not so now. Whether we like it or not, people hackers have cast every individual as a frontline defender. Responsibility for the security of the organisation has been devolved from a small designated team to every single individual. Security chiefs inevitably feel the tension of that situation: they’re still accountable but everyone is responsible, and their success in mitigating risks and preventing breaches relies on everyone else playing their part. It can be a big leap for CISOs coming from an IT background to deal with this new problem that is ‘messily human’ and fundamentally different. Now, more than ever, they need to be strong communicators and strategists who understand what makes employees tick.
Getting Buy-In from the Top
And they also need to be ‘business partners’ with an equal footing at the top of the company. They need to convince C-Suite to listen to when they say they need something, that they can’t do this job alone anymore. Speaking in a recent interview, Vantiv CIO, Kim L Jones discussed this issue: “When I raise my hand and say there is a challenge, we have to be willing to look at that together so that we can make the appropriate decision.”
Creating a Proactive Security Culture… Where do I begin?
Culture is the key, for awareness will only translate into more secure behaviours, and those behaviours will only stick, in a culture that supports them. More and more of the security chiefs we speak to are saying that we need to move from awareness to culture change. Culture involves everyone and changing it must be inclusive. Culture is a ‘living thing’ that is generated by everyone.
3 Ways to Engage Employees in Security
The good news is that there are ways to engage your staff, mobilise them to the cause, and develop the culture of your organisation – and these are proven to be effective, but they will only work if the people that make up a business pick up the baton, take responsibility, own the initiatives they are given and use the tools that will enable them to do the job – because, ultimately, your culture will always belong to you.
1. Behaviour – What behaviour could you model that would demonstrate the importance of security in your business/organisation?
2. Inquiry – What question could you ask that would get employees discussing security in a positive and engaged way?
3. Help – What help could you request from employees?
We’re All Part of the Security Solution
Solutions to the human factor disrupt the paradigm of simply purchasing a product to do the work for us. Technical solutions will never do the job, and there isn’t a genuine solution to behavioural and cultural change out there that doesn’t require buy-in across an organisation, and ongoing work and effort… from everyone. I’m echoing Gert-Jan Schenk here, who, in a recent piece in SC Magazine wrote about the need for companies to switch from ‘defence to offence’ and the need for greater collaboration: “Deploying solutions without first understanding the problems to solve and a strategy to solve them has proven ineffective and mega-breaches have proliferated over the past few years.”
There’s no easy fix to security culture change, but there are ways to kick-start the process, get some immediate results and lay the foundations for sustained development with some budget, some time and, most importantly, the will to make it happen.
Layer 8 provides a range of solutions that enable businesses of all sizes to raise awareness, change behaviour and develop proactive security culture.