Sergey Nivens - Fotolia
“While almost everyone recognises that cyber security is about people, process and technology, the focus has always tended to be on the technology side,” she told Computer Weekly.
However, a growing number of companies, particularly in the defence and finance sectors, are doing more than paying lip service to the fact that cyber security is about people by seeking to understand what behaviours need to be addressed.
These forward-thinking organisations are working to understand why and how people are the weakest link and how that can be turned around, said Barker.
This typically requires understanding the psychological and sociological influences at play and implementing the processes and technologies required to support and reduce the burden on people, who are on the front line of cyber security in most organisations.
“I have worked with organisations which, over the course of a few years, have gone from being very concerned about a lack of security awareness and poor behaviours to having a culture where security is positively embraced,” said Barker.
“As a result, people understand the value of the information they are handling, people feel empowered and interested, and there is a positive change in behaviours.”
But it is important to recognise that this kind of transformation takes “a real drive from senior leadership” to make it clear why cyber security matters, that it requires investment, that people will never be 100% infallible, and that this is about cultural change and will not happen overnight, said Barker.
The impetus for senior leadership to get behind such a transformation typically comes from a cyber security breach, either of the company itself or one of its peers, she said.
“It is important for business leaders to understand that they need to be the drivers of this transformation, that it takes dedication and they will need to lead by example, that they will need to give their input, and that it is a long process that could take several years.”
Read more about security awareness
- The information security community is failing to educate users in a way that helps then understand cyber threats and change their behaviour, according to consultant Jessica Barker.
- While there is value in security awareness training, not all training programmes are effective or value for money, according to a panel of experts.
- UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective security training, a study reveals.
- Cyber security awareness is still in its infancy in most organisations, despite the quick returns it can deliver, says the Sans Institute.
Also, this type of cultural transition needs to be resourced and often requires innovation and imagination, said Barker.
“It requires more than an annual tick-box computer-based training session. It requires looking at all the human factors pertaining to security, looking at communications and thinking about how the security teams are going to engage with people in the organisation,” she said.
“But I have worked with a number of organisations that have seen a clear change in behaviours as a result.”
And although changing behaviours is an important goal and outcome, Barker said that in addressing people as the weakest link, there is tendency to think that the solutions lie only with people and their behaviours.
“It is also important for organisations to look at how they can take the burden off end-users,” she said. “Many of the problems with human behaviour and cyber security are down to being overwhelmed by email, workloads and security considerations.
“However, at the same time, I don’t want to see a reliance on technology to the extent that people in organisations stop thinking about what they are doing and taking responsibility for it, because, as we know, attackers will find their way around any security controls.”
Reiterating that organisations need to “live and breathe” the fact that security is about people, process and technology, Barker said organisations must look at all their cyber defences holistically, which means looking at the user as part of the solution. This is not only about changing behaviours, but also about reducing the security burden on people.
Barker will discuss defending the human network in more detail at Cybercon on 23 February 2017 in Plymouth, which requires an invitation from event organisers.
Any senior information technology and security professionals interested in attending Cybercon can apply for an invitation through the event website.
“The one thing I would like to inspire this audience to do is to think about the culture they have in their organisation and how they address cyber security,” said Barker.
“I would like them to ask themselves if their security culture is a positive one or a negative one that is all about fear and punishment, which will only harm an organisation and make security worse by forcing people into avoidance, denial and other poor behaviours.”
Positive security culture
Barker said she would like to encourage business leaders to think about how they can build and support a positive security culture.
“They should think about how they can talk about scary things in a way that will not put people off, how they can make security more interesting to the average person in the organisation, and how they can provide small rewards for good security behaviours,” she said.
These rewards can be as simple as small prizes for people who score highly in security-related pop quizzes or who do not fall for phishing emails sent as part of a training exercise.
Barker said she is looking forward to talking to senior leaders from businesses of all sizes and sectors at Cybercon, particularly as there are relatively few events of this kind in the South West.
“This will be an opportunity for attendees to raise their level of awareness on cyber security issues and take away advice they can implement in their own organisations,” she said.