Cybersecurity is a culture, not an action
Does your organisation have a culture of cybersecurity? Or, is your company taking a ‘traditional’ approach with cybersecurity and considering it to be a layer that is applied by the IT department? The way that most modern organisations are evolving is that cybersecurity is a culture, not an action to be applied over the top of systems and servers.
Cybersecurity, health and safety
Many organisations have already taken an approach to make health and safety a cultural part of the organisation, where some even add it as one of the company values. This takes away the responsibility for HS&E to be down to just one department or representative, and instead moves this down to all employees. Organisations need to take the same approach with cybersecurity, where the responsibility is moved from the IT department implementing firewalls and restrictive SOEs, to instead be the duty of all employees.
Some organisations have targets to report HS&E ‘near misses’ and safety incidents, and modern organisations are now starting to do the same to report cybersecurity near misses and events. This culture of open reporting and recognition of the inevitable occurrence of a cybersecurity event is removing the embarrassment and stigma of being a “victim”, and reducing the chance of people attempting to hide that they are being used or leveraged.
Consumerisation of IT
As information technology has become mainstream, we are all using technology more for our business and personal use. The consumer uses IT daily, with hackers knowing that there are many more vectors to get to juicy company data than just attacking the company website. The main threat to businesses is not from traditional hackers probing at firewalls, but instead the insider threat of employees – and they are not always malicious or intentional.
The threat of people inside your organisation being the attack vector is increasing. Email attached malware, clicking on links or visiting malicious sites, phishing and vishing, social engineering and data theft are just some of the threats that utilise internal employees. People are, and always will be, the weakest point in any organisation’s cybersecurity. Ninety per cent of cyber attacks stem from people’s actions, or inaction – and so the focus on security should move to users.
Culture change is not a training course
Many organisations may be tempted to simply run annual presentation of tips and guidance, sprinkled with scary stories of co-ordinated nation state attacks on big name companies and consumer systems. However, whilst the facts and figures may intrigue people, this may not have the desired outcomes of changing behaviours and attitudes. Similarly, firms may believe that distribution of an “acceptable use policy” during staff induction is sufficient to inform staff of their responsibilities. Instead, cybersecurity awareness and culture is an ongoing activity that should not only bring awareness to staff of both the overt and subtle ways that cyber threats may present themselves, but also to ensure that staff know their responsibility to act and report incidents – without fear of punishment or embarrassment.
Taking the analogy of health and safety, where staff are given awareness that they should clean up and mark a spill on the kitchen floor, employees should feel confident that cybersecurity events will happen, and that there may be confusion and concern, but that they will get positively recognised for stopping and reporting an event, instead of trying to sweep it under the carpet.