One question I am asked at almost every industry gathering I attend is, “Which are the best solutions to respond to the technical cyber risks faced by organisations today?”
Addressing cyber security concerns has always been recognised as a combination of people, process and technology. However, in my mind there has always been an over-reliance on technology solutions, with new products being launched on a regular basis and advertised as a “silver bullet” to many new risks.
Now, more than ever, I am convinced that technology solutions are not the panacea that many in the security industry view them to be. Traditional solutions focused on hardware and software continue to over-complicate technology environments already struggling to keep pace with the technology revolution and pace of business change.
While users are often cited as the weakest link in cyber security, they could also be the answer to the problems faced by businesses today. Users can address the risks faced and provide the "wetware" to amplify the benefits realised from traditional hardware and software responses.
A successful deployment of cyber security training and an awareness programme would result in a business with 100% of the employee base facilitating the work of the cyber security team
Mark Brown, Ernst & Young
In Ernst & Young’s most recent annual Global Information Security Survey and the recent UK government Cyber governance health check report, over 50% of businesses surveyed indicated intent to increase their investment and resourcing of cyber security functions. Nevertheless, I am commonly asked by businesses how many cyber security staff they should have relative to their size of business.
My response is always that there is no metric to be applied to appropriately size a security team and that a more beneficial response is to ensure that all employees in a company are cyber aware and educated. Technology, be it hardware or software, can only ever be one part of the solution. A successful deployment of cyber security training and an awareness programme would result in a business with 100% of the employee base facilitating the work of the cyber security team.
Making your cyber security awareness training succeed
However, many companies have sought to address the issue of awareness in the past, with varying degrees of success. So if the wetware is the answer to addressing most business cyber security risks, what steps should the security profession take to ensure that awareness programmes conducted within a business succeed?
The first step, and probably the hardest, is to accept that the cyber security team are not best placed to manage the awareness programme. My experience tells me that successful security training and an awareness campaign is best delivered from a focus of marketing and communications, professions whose sole focus in business is in tailoring messages to ensure that they resonate with the intended audience.
The second step is a recognition that publication of policies alone will not bring about an increased awareness of security issues and appropriate responses. Indeed while policies are a necessary aspect of ensuring the management of security, many security professionals view the quality of the policy by the “thump factor” as its sizeable tome lands on a desk. Not realising that the very tome they have spent months perfecting is the very reason that the majority of staff in an organisation have no interest in either reading or complying with those policies.
Incentives to learn are required to ensure that users are willing to undertake security training. Tailoring messages to align to business roles is essential, while using enterprise software licence agreements to provide employees with free software to use at home can be highly successful in attracting interest in learning more.
It is time for security professionals to recognise that we have relied for far too long on technology solutions and that the time is right to truly address the human factor of cyber security.
The vast majority of cyber security breaches can be traced back to well-intentioned misinformed or uneducated users. However, if we can collectively address and educate our wider business colleagues, not just in the IT function but throughout the business, making them “cyber streetwise”, the benefits will be significant.
We are unlikely to stop cyber security breaches entirely, but to address the gaps that exist in our chosen hardware and software solutions we can rely on the wetware that holds our companies together – our colleagues.
Mark Brown is director of risk and information security at Ernst & Young.
This was first published in February 2014