Here we explain why cyber-responsibility is so important and outline the steps you can take to create a culture that keeps your company safe from cyber-harm.
Culture beats software
Cyber security is not simply a technical solution. Nor does responsibility for it rest solely with the IT department. According to renowned cyber expert Professor Alan Woodward of the University of Surrey, there are three parts to cyber security: people, processes and technology. So, you’ve got secure software installed on every office PC and every remote device – that’s one part addressed, but how about the other two?
Over 90% of the time the problem is the human in the loop.Professor Alan Woodward, Cyber Expert, University of Surrey
Your employees are your strongest line of defence against cybercrime. Why? Because cyber criminals know that however solid a company’s technical fortifications, it is people that offer a potential gap in its defence. Just like the Greeks with their Trojan horse, they have learnt it is far easier to play on human emotion than break through firewalls. No anti-virus software will prevent an employee clicking on a link on an email from a ‘trusted’ sender and inadvertently opening the gates to the company system, and the confidential information within. “Over 90% of the time the problem is the human in the loop,” says Woodward. “They’ll either be ‘socially engineered’ or they've given something away that allowed people to break into the system.”
Engineering and education
Liz Murray, Global Awareness, Communications and Training Specialist at HSBC supports the business on creating a healthy cybersecurity culture. She says that much of her work this year has focused on social engineering. “Cyber criminals are clever. We need people to understand that they push their emotional buttons. That the email that tricks you into clicking on it is playing on an emotion such as happiness or fear. People need to know what to look for – to understand the risks and the threats and how they manifest themselves. They need to be aware of the emotions involved.”
Changing the culture
Companies must foster an openness that allows employees to report potential issues and, crucially, to be unafraid to raise a hand if an incident occurs.Liz Murray, Global Awareness, Communications and Training Specialist, HSBC
Cyber awareness can be achieved through education, but a healthy cyber culture needs more than knowledge, more than reinforcing learnings and certainly more than just running one training session to mark Cyber Awareness month, and then forgetting about it. It requires changing a long-standing cultural norm in which employees fear punishment if they make what could be deemed a mistake. Murray says that companies must instead ”foster an openness that allows employees to report potential issues and, crucially, to be unafraid to raise a hand if an incident occurs”. “Cyber awareness must be integral to a company’s culture – it’s what people do when no-one’s watching; that they’re educated and aware enough to be curious, to ask the right questions.”
A process in place
A cyber-aware, cyber-responsible culture means making training resources and information such as the weekly threat updates from the National Cyber Security Centre easily accessible to employees. It means having the necessary process in place that allow staff to report incidents or flag if they suspect they are being targeted, and it also means creating and sharing a response plan that can be activated in the event of an attack –”like a fire drill”, says Woodward. “It doesn't mean you should plan to fail, but you do need some sort of incident response plan should you be breached. You need a chain of command. You need to know how you're going to communicate to staff, to your clients, and to the public.”
The importance of leadership
Just as a healthy company culture stems from its leadership, a cyber-responsible culture “must be driven from the top-down”, says Murray. That leadership should be operational, not only in an emergency, but as a matter of course agrees Woodward. Getting leadership buy-in to cyber responsibility can be challenging , and that depends on the culture far more than on business size or sector. Board level appointment of cyber-focused individuals and increasing digitisation are starting to bear fruit, however. “In the last few years we have seen a change to companies having a Chief Information Security Officer who operates outside of the IT department. So, typically, they should either be on, or report to somebody on, the board because cyber security should be in the risk register for any organisation,” says Woodward. Equally important is that that responsibility is disseminated throughout the organisation, with the CEO or CISO heading the chain of command, supported by cyber advocates at all layers.
“We are all potential targets, across all digital touchpoints, every single day,” says Murray. “That’s why the culture of an organisation is so important in fighting back. We can’t just assume it’s some other person or department’s issue. Cyber-security needs to be an integral part of every company’s communications, decision-making and processes. Investing in creating a more cyber-focused culture can turn your people from cyber-risks to cyber shields.”
How to create a more cyber-secure culture in your business
- Take responsibility – lead from the top and by example.
- Create regular training and testing programmes to ensure your staff are familiar with threats and how to deal with them.
- Be open – ensure staff aren’t scared to speak up and that they have a mechanism to do so.
- Collate and circulate the latest threat reports and how these may play out.
- Build cyber-security into your processes and policies.
- Create a network of cyber advocates or cyber shields across different departments to identify potential areas of weakness and spread information and best practice.
- Have a plan to deal with any cyber-attack and practice it so that everyone is aware of their role and responsibilities.
- Consider hiring a consultant or cyber-security expert to audit your business and offer bespoke workshops.