The threat from cyber criminals is growing year on year. According to Symantec Corp, malicious attacks increased by 81% in 20111. If your business is one of those caught up in a cyber attack and your customers’ data is stolen, the reputational damage and financial consequences can be immense.
Unfortunately, the typical response of many organisations aiming to strengthen their defences often has the unintended consequence of increasing the business’s exposure.
To maximise security, your business must resist the instinct to constantly increase monitoring, controls and rules, and focus on developing an intelligent security culture that reflects real human behaviour, making security the responsibility of all employees. Getting the balance right is at the heart of effective cyber security. The difficulty lies in striking the right balance.
If you answer yes to the following questions, it may be time to rethink your approach.
Is your instinct to make security the sole responsibility of a trusted group of experts?
This approach reinforces the perception that security is solely the province of a few people in head office. As a result, your business loses the real protection afforded by a security culture that is embedded across the organisation. Reframe security in a way that reflects the way employees think and behave. Start by creating a compelling narrative around security and business assurance that engages your people and demonstrates how their behaviour has a direct bearing on what they care about.
Do you respond to a breach in security by increasing the level of employee monitoring?
Heightening the level of monitoring can make people feel like they are being watched by ‘Big Brother,’ eroding trust. Employees become less vigilant on the organisation’s behalf, which actually increases your exposure. Running collaborative events with your employees to systematically review breaches in security, and talking openly about what happened, means you can together find ways to address the cause and reduce the likelihood of it reoccurring. Using co-design and co-development approaches, where your employees are partners in creating a security culture, can reap significant benefit.
When it comes to managing risk, do you focus on the workplace?
By focusing on workplace risk you could be neglecting critical areas of risk outside the workplace. Risks are often most acute, for example, when employees commute by rail, or when they transfer documents to social media accounts at home. Make sure that you accurately identify where risk is most likely to occur and develop technology-enabled and employee-owned approaches to safeguard your organisation's prized assets.
Do you develop new procedures and rules in response to each new risk you identify?
Creating more and more rules means that employees are so inundated with ‘dos’ and ‘don’ts’ they start to overlook critical ‘must do’ behaviours. Typically, these are published in thick operating manuals that people don’t read, let alone follow. Make sure your employees focus on, and are held to account for, the critical things that matter most. Promoting and gaining commitment to specific behavioural requirements and building them into your current ways of working, helps to create everyday ‘habits’.
Do you depend on strict controls to protect your business against security risks?
Relying on rigid controls that do not acknowledge normal human behaviour, such as accessing social media or working out of hours, often makes it harder for your employees to do the right thing. When employees try to get around the controls, they can open your systems to attack. Recognise that new ways of working and communicating are transforming the workplace, together with the changing demands of the workforce (‘Generation Y’). By challenging the core assumptions underpinning your security practices you can assess the role and effectiveness of direct control.
To find out more about striking the right balance between control and culture in your organisation, please contact us now.
1 'Internet Security Threat Report, Volume 17', Symantic Corp. April 2012