It is human nature to try and avoid mistakes and the embarrassment of failure, after all, it is educated in to use to avoid mistakes through “operant conditioning“, but it is important to take a policy of embracing mistakes in cybersecurity, to avoid people trying to hide times when they have had a “near miss” of a scammer, hacker or malware attack. It is human nature to be embarrassed that they have been caught out by something that they have been warned about, been given training on, or that they feel they should not have been caught out by. People who experience these cybersecurity mistakes will often try to hide it – and not take any further action.

Cybersecurity mistakes should be like OHS

For many years, businesses have been openly expecting reports of Occupational Health and Safety incidents, where there are targets for the number of events reported, recognition of people’s reports of incidents, and reporting of issues to escalate action and response. This is the type of attitude we should take within the realm of Cybersecurity.

Board level visibility

I serve on a few boards, and there is visibility at the board level of OHS incidents and statistics, and actions are taken to ensure that remedial action is taken when violations occur. Budget can be allocated to more safety equipment, remedial action such as guard rails or repairs, and a focus on training – including bringing in external trainers. Regular audits and checks are done, and this is reported all the way to the Board. This is a common practice, and acceptable and understandable to Board members.

This type of approach should be done in businesses for the risks that are posed by Cybersecurity events – it is a risk to the business, its ability to continue to operate, the reputation of the business held by both customers and staff, and compliance with regulations and standards.

READ ARTICLE:   Obvious PCI-DSS benefits

There is a considerable crossover with cybersecurity concepts; protective measures need to be put in place for incidents that are unexpected and unplanned, there is an acknowledgment that sometimes things just happen no matter how hard you try to prevent them, there needs to be a continuous investment in safety consumables (anti-malware subscriptions), and budget needs to be assigned to the area.

Embracing cybersecurity mistakes

Too often, cybersecurity mistakes are seen as a disaster that was unexpected. It should be expected that a cybersecurity event can and will happen to every organisation at some time. It has been reported that 31 percent of business identifies that they are attacked every week, and most of these attempts will use Phishing to attack the weak spot in any organisation’s cybersecurity defence – the people. Humans, or ‘wetware‘ are the weak point, as people can be fallible and cause cybersecurity mistakes.

Instead of punishing and chastising people for the inevitable mistakes that will occur, we need to take an approach like OHS, where reporting an incident or near miss is recognised and rewarded. We need to encourage people to be more open about phishing that they have avoided, telephone scams that they nearly got caught out by, information disclosure that they shut down. The more we are open about the inevitable incidents that will happen, and the more we support staff to no longer hide in shame from being nearly caught out (or times that they find out that they have made a mistake, but the business needs to be informed so that a response can be arranged), it works out better for everyone.

READ ARTICLE:   Cybersecurity Myths - I'm not a target
Share this knowledge