Media reports on the cyber threat frequently cite high-profile, high-impact cyber attacks carried out by organised, sophisticated and deliberate cyber criminals. However, US and UK research1 shows that the everyday behaviour of employees presents one of the greatest risks to your organisation and its customers.
The growth of social media, remote working and the use of personal devices – plus a ‘Generation Y/Millennial’ mind-set among younger employees that don’t value traditional control and formality – all combine to create new vulnerabilities in an organisation’s cyber defences. While technical defences are important, they have limited effect if they are undermined (albeit unintentionally) by employees who do not follow security policies either because they find them inconvenient or because they don’t understand why they are necessary.
The commitment of your people to protecting your organisation is an essential component of a strong cyber defence. This means a critical part of your cyber strategy must be to focus on the human aspects of your organisation – on developing a positive security culture that is grounded in employees’ attitudes, evident in the behaviours people exhibit (especially when no-one is looking) and which is reinforced by the actions of leaders.
So how can you develop an organisational culture that makes you more secure?
Aim to ensure that security is owned and lived by all employees and not just a few experts in business risk and security functions. Stress the responsibility of the individual as well as the whole team for protecting critical assets and make no exceptions for leaders, who must act as role models by adopting required ways of working. Rather than increasing monitoring (CCTV, checking email etc) in response to a security breach, acknowledge what has happened openly and treat it as an opportunity to learn. Make it acceptable for employees to challenge colleagues directly when they see poor security behaviour (such as holding sensitive conversations in open locations), rather than encouraging employees to report on colleagues.
Encourage your people to view security not as something restrictive but as something that enables your organisation to deliver its promise to customers. Develop a compelling narrative that resonates with your employees and clearly demonstrates that by protecting information assets effectively your organisation proves itself worthy of the trust that customers, suppliers and partners place in it when they share personal or business data.
An effective security culture does not stop at your organisation's walls and physical boundaries. Take account of your employees’ approach to security both in the workplace and outside it. Identify ways in which you can involve your customers, suppliers, partners and contract staff (especially those you often overlook such as cleaners) to promote an integrated, end-to-end view of the ‘right things to do’. Be specific about the behaviours and specific ‘ways of working’ that make the most difference in securing your organisations critical assets.
Make it easy for people to do the right thing. Social media and working from home are normal behaviour that is here to stay. By recognising this, your organisation takes the first step to finding ways to enable employees to transfer information securely and protect customer data, and minimises the temptation for employees to find ‘work-arounds’ which make you more vulnerable to attack.
By investing resources and effort in your people and culture, your organisation can significantly improve its security and reduce the potential for a successful cyber attack.
1For example, research undertaken by the CERT® Insider Threat Center at Carnegie Mellon University.