In the defence of our businesses against cybercrime, Tony Dimech discusses the necessity of a holistic approach to security with people at its heart, and training that engenders proactivity.
Last year 75% of small businesses in the UK experienced a cyber breach. The average cost of a breach for small businesses can be anything from £75,000, to a staggering £311,000. (Source: PWC).
Disruption is Inevitable
Cybercriminals disrupt businesses. Last month we saw the huge disruption to the NHS caused by a global ransomware attack. Stories of data breaches, social engineering scams and audacious hacks, pepper our news every day. The fallout for the organisations concerned: financial losses, reputational damage and customers taking their business elsewhere. When GDPR becomes law in May 2018, companies who fail to protect personal information will face fines of up to 4% of global annual turnover and the stakes will be raised still higher.
Businesses have traditionally answered the threat of hacking with investment in technology: technical attacks needed technical solutions – and that is still the case. However, the threat landscape has changed and evidence consistently shows that employees are at the heart of the vast majority of data breaches, whether because of ignorance, carelessness, error, trickery or malice. With social engineers aggressively targeting human vulnerabilities, a more holistic approach to security is required and executives and security chiefs must now find ‘people solutions’.
The Current Top 3 Threats:
- Phishing attacks
- Accidental data leaks by staff
The trend towards ‘hacking people’ has cast everyone as a frontline defender. Responsibility for the security of the organisation has been devolved from an individual (e.g. a CISO or Head of IT) or small designated team to every single employee. Security chiefs inevitably feel the tension of this situation: they’re still accountable but everyone is responsible, and their success in mitigating risks and preventing breaches relies on everyone else playing their part. In other words, they need security culture change.
Culture change, by its nature, is ‘disruptive’ – but in a good way. It’s disruptive because, to one degree or another, everyone will have to do things differently; it will mean updating processes, kicking insecure habits and adopting new behaviours. It’s disruptive because, unlike buying a tech solution to a tech problem, people will actually have to do something, do things, every day. Creating the proactive security culture we need is not something that happens overnight with the flick of a switch but, in our experience at Layer 8, change can begin immediately.
So, disruption is inevitable. The question facing businesses is what kind of disruption they want: the disruption of a breach and a fine, or the disruption of security culture change.
Training for Front-line Defenders
We wouldn’t expect soldiers to defend a city without training, we wouldn’t expect footballers to defend their goal without training - so why would we expect people to defend their business without training? If people are the focus for cyber criminals then it’s time they were the focus for security professionals. If they are seen as the ‘weakest link’ then they have to be strengthened: they need to be invested in, and given education and training to meet their security responsibilities. But it has to be the right kind of training.
In many businesses to date, staff security awareness training has been minimally disruptive and, not surprisingly, minimally effective. Lengthy policy documents, blanket directives and emails full of ‘tech speak’ aren’t going to fire anybody’s imagination. Annual computer-based training is quickly forgotten. Answering basic multiple choices questions doesn’t require deep learning and compliance tests have little impact on day-to-day behaviours. Companies sometimes go further with a good old PowerPoint presentation that might contain lots of important facts and instructions but that only switches people off.
Collectively, these approaches are fatally flawed and will serve only to help today’s cybercriminals. Why? Because they render employees passive and they don’t demand action. They don’t enable conversation or collaboration. They are top-down and function to hand down rules from ‘above’. They do nothing to develop culture.
New Approaches to Training and Culture Change
We define culture as how we collectively demonstrate what matters to us on a daily basis through what we say and what we do. So, culture is about conversation and behaviour. When, every day, across your organisation, people are talking about security and doing things to improve it, that is security culture. The quality of that determines the kind of security culture you have. Our approaches to training have to be radically renewed to engender the proactive culture demanded in today’s world. They must embody the new culture we are striving for, with conversation, collaboration and action at their heart.
Interactive training promotes deep learning and an effective session leaves participants feeling motivated, energised and confident in their ability to defend their business and their homes. The effects are long-lasting and they fuel ongoing conversations that – in turn – strengthen the developing security culture.
Involving participants in workshops, setting them tasks, requiring them to take the lead, enabling them to set their agenda for action after the workshop, these are huge strides towards a proactive culture of security. It has to be this way. Our culture belongs to everyone and culture change is by its nature inclusive.
Beyond workshops and training sessions, ‘frontline defenders’ need to be supported with communications and learning materials ‘written by human beings for human beings’. That means placing people (not just technology) at the heart of security, it means empowering them with useful, practical knowledge in context, explaining why we need to change behaviours. It means marshaling the ways in which people have always communicated what matters to them: through dramatic stories that demand empathy, employing analogies to make things clear, and using humour to engage. Crucially, communications should ask questions, set problems and stimulate conversations and actions that will contribute to the developing security culture. And those communications need to be regular and accessible in a way that they can fit into existing work patterns and business as usual.
People are the Solution
Our experience at Layer 8 – working with a wide range of people across organisations – has only demonstrated that people are the solution; they want to be a safe pair of hands and they want to protect the people and things that matter to them. Often they just need the space, encouragement and support to do so.
When they’re enabled to take ‘ownership’ of security, to acknowledge shared values and collaborate, when they’re required to have conversations, to change behaviours and to ask for things that would help them, then we’ve seen conversations go viral, behaviours and processes change, and cultures transform.
5 Tips to Kickstart Security Culture Change
1. Collaborate - You have to, because everyone is a frontline defender of your organisation. In our experience, change happens rapidly when buy-in from the board meets a grassroots movement by ordinary employees. People on the ground want to be part of the solution and culture includes everyone.
2. Grow Your Team - To that end, many organisations develop a network of ‘security champions’ or advocates to drive change. They ‘join the dots’ between CISOs and individual employees from all tiers and sectors of the business. We’ve seen exponential change in organisations who develop champions.
3. Make the Conversation Go Viral - Central to what champions do is taking the security conversation out into the business, making sure everybody participates in it and keeping it on the agenda every day. Culture change happens when conversations change.
4. Raise Awareness with Engaging Communications - As employees shoulder their security responsibilities they want to be kept up to date with information on the latest threats and what they can do about them. Best practice needs to be conveyed in materials that keep them switched on.
5. Train for Proactivity - Throw out the 64-slide security PowerPoint as it only imparts information to a passive audience. Instead, run training that demands that everyone contributes, collaborates and takes action. Changing security culture means changing training culture.
If you’d like to read more about developing the security culture of your organisation, download Layer 8's whitepaper: Developing Security Culture – 8 practical principles for effective change.
For more on the need to invest in people over tech and why, see this excellent article published recently in the Harvard Business Review.