At Layer 8 we find ourselves talking to people about cybersecurity every day, and it’s rare that we meet someone who isn’t passionate and committed to doing a better job of securing personal and business assets from data breach, phishing and ransomware. The meetings we have tend to fall into two categories; we provide workshops for end-users on a range of cyber-security topics, and we spend a good deal of time talking to security professionals about developing effective security culture, founded on proactive security behaviours.
We All Want Better Cybersecurity…
The surprising thing is that the conversations in both instances, are remarkably similar; yes, security professionals can provide the broad perspective, they understand the range of risks more clearly, and they know the limitations of budget and resources, but what they share with end-users is a desire to make things more secure, to safeguard the data of their customers, and to find solutions for things that aren’t currently working. The trouble is the two parties rarely find effective means to work together, pool resources, and collaborate on creating an effective cybersecurity defence.
3 Attempts to Join the Dots Between Security Teams and End-Users
I just wanted to share three initiatives we’ve been a part of which have shared the aim of joining the dots and getting end-users and security teams working together:
#1 – End-Users Become Part of The Cybersecurity Team
An ‘us and them’ mentality hampers all attempts to improve cybersecurity behaviours. Where I’ve encountered this, end-users complain that initiative lack a detailed understanding of what it’s like to ‘be on the frontline of defence’ and feel powerless to initiate practices that would make a real difference. One large organisation we work with has reached over that divide by inviting all employees to become members of the cybersecurity team. Most important, every employee has a mobile number for a named member of the security team that they can use to report incidents, make suggestions for improvements, or ask for help over local issues. Once a direct line of communication was set up, incident reports increased substantially, collaboration started to develop and regional weaknesses were identified quickly and dealt with.
#2 – End-Users Want to Talk About Cybersecurity…
… but they resent being made to listen to other people talking about it without being included in the conversation. It’s a bit like having a passion for music but being required only to sit and listen to someone explaining the chromatic scale. Feedback we receive from our workshops on cybersecurity always includes comments like “Great to have the opportunity to talk about this” but we also regularly read: “Will wait to see if anything comes of our suggestions for improvements”. We suggested to a company we work with that they use Cybersecurity Awareness Month to set up several five-minute slots for end-users to come and talk about cybersecurity with a member of the security team. They were a tad cynical about the uptake, but they were surprised to see that three-quarters of the slots were filled within 24 hours and the conversations significantly contributed to kick-starting culture change.
#3 – End-Users Know Where the Vulnerabilities Are…
The depth of concern for secure working practices felt by end-users is surprising. When Layer 8 run workshop sessions, we always end by compiling a check-list which comprises three headings:
- Organisational actions required to enhance cybersecurity.
- Departmental actions required to enhance cybersecurity.
- Personal actions required to enhance cybersecurity.
Responses are always detailed, carefully considered, and largely agreed upon across all participants. It’s as through their answers spring fully-formed from their heads – which of course, they do. End-users think a lot about cybersecurity – it’s just that the means to express their thoughts aren’t yet in place.
We find that creating opportunities for direct communication is a massive step in engaging employees in the conversation about cybersecurity. More often than not, the ingredients for a great frontline defence already exist, but the dots need to be joined up in order to set it in motion.
Layer 8 will be talking more about ‘joining the cybersecurity dots’ in their webinar: Creating an Effective Security Champions Network on 28th March 11.00am-12.00pm. Follow this link for more information and registration.