Maksim Pasko - Fotolia
What changes are needed to create a cyber-savvy culture?
PA Consulting's Cate Pye considers the people and process changes that are necessary to build a security aware business culture
New opportunities are appearing at breakneck speed in today’s technology-fuelled world, and organisations that are able to adapt and seize these opportunities fastest are winning market share and competitive advantage.
In this race to be first, organisations have to build a security culture that enables them to test that what they are doing is safe and commercially worthwhile.
Many organisations have already invested in their systems to protect them from cyber attacks, with the increasing numbers of these attacks meaning cyber security is now on the board agenda.
But anyone delivering an IT programme knows that the systems only work if they are used in the right way. With 64% of breaches caused by non-malicious human error, it is clear that just getting the right systems won’t provide sufficient protection.
What is needed is a similar approach to embedding a culture of cyber security to that taken, a few decades ago, to drive improvements in health and safety expectations.
From displaying visible metrics on the shop-floor wall to introducing rules ranging from use of ladders to not carrying hot drinks up and down stairs, engineering and power industries made clear which behaviours were expected and which would no longer be tolerated.
Bring IT to the board
In cyber, this starts with the board providing both advocacy and demonstration of good cyber practices, and discussing cyber security at board meetings. Leaders must adhere to good cyber behaviours themselves and not be tempted to break the rules everyone else has to follow, either just for convenience or because they think they’re different.
It is not okay to send emails to a home email account, to ignore patching prompts or to have a weak password. The reality is that senior people are more of a target, and by ignoring their own policies they undermine all the good work across the organisation by sending a message that implies “we say this, but we don’t really mean it”.
Putting cyber on the agenda at board meetings can start to demystify it and build a common language between the business leaders and technology leaders. There is often a mis-match between the level of confidence these two groups have in their cyber security and how they prioritise investment.
Having a regular board slot to talk about the business impact of cyber security and to understand the opportunities and threats the organisation faces creates a common view and understanding of what cyber security is needed to open up those new opportunities. It also means that if an incident occurs, board members feel better equipped to answer the questions they will inevitably be asked.
In general, telecoms and consumer-facing organisations often discuss cyber security at board level and are likely to have a board member with responsibility for cyber security. Others, especially those in energy and infrastructure organisations, should learn from this.
For employees, it is important to build an environment in which they understand why cyber security matters, feel empowered to make changes for the better, call out poor behaviours, and take pride in the fact that their organisation is good at cyber security.
Today’s employees would be shocked to work for an organisation with a poor health and safely record, tomorrow the same will be said of cyber security. Giving employees training to know what they do need to worry about and do (and what they don’t) helps them to focus on what matters. It also builds their confidence and knowledge so that the efforts of the cyber security team are amplified by the whole workforce.
Processes that encourage compliance are essential, but these need to be convenient. It has to be easier to comply with the right process than to find workarounds – we are, after all, human. That should reflect a mixture of streamlining good processes and introducing delays into bad workarounds.
This is the theory behind the CyberNudge interventions which work with human nature by building in frequent “nudges” to help people do the right thing. Most people respond to a helping push in the right direction, but struggle to remember exactly what the training course they did a few months ago told them to do – particularly when they’re in a rush or up against a deadline.
Nudges are tailored to the organisation and can range from needing an extra click to open an attachment to slow down the thought process, to a pop up or blog on news stories about breaches that is streamed to people’s smartphones.
Establishing these people and process ways of working as the norm creates a culture across the organisation where people expect each other to do the right thing. Once these levers are understood, the systems can come back into play to reinforce good behaviours and underpin the new processes.
This enables the organisation to respond quickly to new opportunities knowing that the people, processes and systems are mutually supportive and alive to the potential risks, as well as the upside, of technology-enabled growth.
Read more about security awareness
- As the National Cyber Security Strategy nears the end of its working life, the government is considering what comes next, and is asking probing questions of its successes and failures.
- A joint HP and IDC report warns that buyers are falling at the first hurdle on security by not including it in their endpoint RFPs and tenders.
- Attitudes to workplace cyber security differ by age group, but not in the way one might imagine, according to a new study by NTT Security.