Cyber security isn’t just about protecting your information from external cyber criminals. Much of cyber risk management is about protecting your assets from careless, uninformed or sometimes malicious employees. In fact a report from the Online Trust Alliance indicates that only 40% of data breaches were the result of external intrusions, with the rest having an internal cause.
In order to manage these internal threats you need to manage organisational culture. This has two elements: top down culture –imposed by the leaders of an organisation including their values, aims and expectations. And bottom up culture –created by the behaviour, perceptions and experience of the people within the organisation.
Top down culture
The top down culture of an organisation dictates risk appetite and affects the way it allocates resources. And in many organisations, the leadership fails to ensure that cyber security is properly resourced. For instance around a third of companies lack an adequate data protection policy while under 30% have Boards who are highly engaged with cyber security. Without adequate leadership cyber security is bound to fail.
Usability, or the lack of it, is another reason. Poorly designed systems that cause frustration result in users simply ignoring guidelines. This too is a result of organisational culture: all too often the end user is not seen as important, but merely as someone who must obey rules. Promoting user-focussed design of security systems is an important top down cultural change.
In addition many organisations fail to take cyber security training seriously. Security policies are attached as part of the employee handbook, and never explained face to face. Or training consists of a brief description of “the rules” without any explanation of why they are important. Give people rules without reasons and they are sure to ignore them.
It’s one thing setting out rules to strengthen security but if you don’t enforce them, people will quickly forget all about them. Enforcement starts with monitoring and moves onto sanctions. This doesn’t need to mean disciplinary procedures: it could just as well involve words of encouragement, further training, or in some circumstances mild social shaming.
Bottom up culture
Leaders influence culture by imposing their values and expectations. But culture is also generated from the bottom up in ways that may be hard to manage, delivering attitudes and behaviours that run counter to those that the leadership wants to promote.
For instance in many organisations there is an attitude that cyber security “is not my problem” as it is seen to belong to the IT Department. But IT systems on their own cannot prevent employees putting an organisation at risk. Organisations need a culture where everyone from the CEO to the intern takes responsibility for security and where unsafe behaviour is socially unacceptable in the same way as eating strong smelling food at your desk, making sexist remarks to colleagues, or taking phone calls during meetings are generally considered unacceptable.
Of course this is challenging, especially in hierarchical organisations where senior staff feel at liberty to ignore the rules because they are “too important”. Nonetheless there are ways this can be achieved. Empowering and incentivising staff to comment on unsafe behaviour is one way. Developing security KPIs that identify good behaviours and praising people who show them is also a help.
Another point to address is credibility. If people don’t believe that particular processes help to deliver security they are likely to ignore them. Proving how effective the rules are is important.
The biggest problem though is trust. Most people are pretty trusting and organisations, wanting to foster teamwork and high motivation encourage this. Trust means that people don’t challenge strangers who aren’t wearing visitor badges. It means they assume that an email from the boss asking for an invoice to be paid is actually from the boss. It means people help out a contractor who has forgotten their password. It means they assume an approach on LinkedIn is a friendly approach…Building in a degree of cynicism is, sadly a part of ensuring cyber security.
The role of Human Resources
The internal threat to cyber security is very large indeed: probably a lot larger for most organisations than the threat from criminals and the like outside. And IT tools and systems can only do so much. The active involvement of Human Resources, and indeed managers generally, is essential: to identify internal risks, to generate buy-in to cyber security processes, to train people to behave safely, and create a cyber safe culture. Without this, cyber security will almost inevitably fail.
About the Author
Jeremy Swinfen Green has over 20 years’ experience of digital business and is now Director of Business Insight at digital agency Smart Cookie and founder of the digital governance consultancy Mosoco. His book Cyber Security has recently been published with Gower.
He has advised a wide variety of public and private sector organisations on their digital business strategies. In addition as leader of several digital businesses, he has had hands-on experience of the issues surrounding cyber security, data compliance and business continuity as experienced by SMEs.
Jeremy is a member of the Performance and Finance Board of TechUK (the UK’s trade organisation for the Technology Industry) and a member of the Institute of Risk Management’s cyber security SIG.